Hi David,
Always good to see security reviews and tests.
Glad to see that only this item concerns CB
Yes, we are implementing a password reset mechanism similar to Joomla 2.5 in upcomming CB 2.0. We will discuss if we should backport this to CB 1.9.
As a general rule, if you have any security-related items, even minor, please use the "Contact" link at bottom of any page for private reporting instead of posting in forum.