Had a similar experience with Dreamhost about 2 years ago. I sent them an email pointing out the insecurity of sending passwords in an unencrypted email, but they seemed to feel that their customers "appreciated" the ease of password recovery over security.
I remember reading an idea of a "login via email" link. This would be probably be even more convenient than a password reminder and just as secure as a reset link (assuming it only works once and has a time limit).
Exactly, as the admin you see a potential vulnerability, as the end user, you just don't want to remember a password and as an attacker, you see an opportunity.
