Well, to make the request one would have to know that
it's an account
that is hit by the measure. That means that either one knows the
password is equal to the login name, or one has guessed it. In the
first case they are the correct person. In the second case, they
basically have done some password cracking, which even with an easy
password is not a trivial thing. I would say that for an active
account, if there is only one request within a reasonable timespan, it
would be safe to assume it comes from the user him/herself. For
inactive accounts I would say "too bad, get a new one."
It's not difficult to write a bot that goes through lots of accounts
trying to log in with the username as the password and seeing if it
works. That's why such passwords have been blocked. If we let people
into the accounts without any verification we might as well just let
people keep the insecure passwords.