It is incredibly lazy. Which is important for sites that need users to create accounts, because users go away in droves when they get a screen that makes them login or create an account.

It’s no less secure than any account which uses email for password recovery — there is no new vulnerability. It’s more secure in a way because the password doesn’t have to be memorable and the password doesn’t get written down.