Many companies are told but few listen
As a security consultant, I repeatedly tell clients that their customer password should never be able to be retrieved even by the customer.
Look at Microsoft AD, it may have many issues, but even if you are the Domain Admin with every right across the whole AD domain you cannot view another users password, you can delete it, you can change it, but you can't see it.
It a customer wants to reset their password fine, they can input to old password and change it.
If they forget their password, have a temporary one time password sent back to them, or even have an operator generate a one-time password for them to use.
If a operator or call center operative can see a customer password you have an instant oppurtunity for fraud within the business.
However companies seldom listern to security people (even if they are paying massive consultancy fees), because security doesn't generate revenue, however if a marketing/customer experience person thinks it would be 'easier' for customers to recover they own password or have a call center agent look it up, then that becomes the norm. Of course when an incident take place it's not their fault it's an IT issue.
This will keep happening until some government has the balls to say that when a company has a security breach, the C-levels will be in the dock, looking at some time at her majesty pleasure.