I understand what you are saying. A "hack" comes from two ends. If the site got hacked of course that is one thing. However; if the hack(s) keep coming on the user's ends there are many things that can fortify your defenses. I am not asking for an adversary to come after me by any means, but using VM's and only linux has kept me clean as a whistle against these hacks on all sites so far. Still I have requested that Theymos consider U2F, which is the ultimate protection mechanism and its not too tough to deploy.
I do like the idea of sending a LINK to the registered email account as a REQUIREMENT to change a password or email addy, as long as it would also require that you enter the CURRENT password correctly first. Password would authorize the link to be sent. This would protect against someone hacking your email and not knowing your btc login credentials. Maybe paper code backups if both of those fail. If you lose all three then tough shit your account is gone ---- grow up time!!
No matter how It happens it can be prevented in most cases but adding simple email authorization. I don't see U2F being added soon because as for now only Chrome supports it and it's kinda complicated and not well documented for developers.