If you leave your machine win a public place without locking the screen and requiring a password, you have already failed WAY more than Apple here.
yea, bad form, they should request the current key chain master password before allowing any other password changes, however, that's a "best practice" issue, not an actual security risk since it;s not possible to happen without a bigger security issue to start with. They have to get logged onto your machine to access this feature. If they can already do that, you have already lost. This is a small issue.
There has never been a single successful machine hack that allowed remote control of a Mac ITW ever. PWN2OWN has only been done using custom made web sites, and to get this control required he be at the machine when it happened, it can not be done by a bot or virus, and you have to fall for the phishing scam first...