Well, to make the request one would have to know that it's an account that is hit by the measure. That means that either one knows the password is equal to the login name, or one has guessed it. In the first case they are the correct person. In the second case, they basically have done some password cracking, which even with an easy password is not a trivial thing. I would say that for an active account, if there is only one request within a reasonable timespan, it would be safe to assume it comes from the user him/herself. For inactive accounts I would say "too bad, get a new one."
It's not difficult to write a bot that goes through lots of accounts trying to log in with the username as the password and seeing if it works. That's why such passwords have been blocked. If we let people into the accounts without any verification we might as well just let people keep the insecure passwords.