If someone tried to buy an app "manually" using their own device and your account, they would need to know your email address and password. There's plenty websites out there that store password in plain text, some of them even email it to you so everyone can intercept it. Other sites use some encryption, but could be still be compromised.
The possibility I hinted at is that someone just "pretends" they have an iPhone and communicate with the Apple server directly. I don't know how their algoritm works, but it may be the case that they only need an Apple id and some secret key that is stored on the device. In that case asking the user for their password is just a way to protect the user when they lose their actual device. That would be pretty insecure from Apple's side. They should at least use the password to generate a key pair. (This doesn't necessarily require anyone to steal secret keys from Apple I just realize)
The possibility I hinted at is that someone just "pretends" they have an iPhone and communicate with the Apple server directly. I don't know how their algoritm works, but it may be the case that they only need an Apple id and some secret key that is stored on the device. In that case asking the user for their password is just a way to protect the user when they lose their actual device. That would be pretty insecure from Apple's side. They should at least use the password to generate a key pair. (This doesn't necessarily require anyone to steal secret keys from Apple I just realize)
I completely agree with your second more general point. See also my comment on the Paypal thread: http://news.ycombinator.com/item?id=2880194