Conrad Irwin writes,
The point of the password is so you can prove to the web interface that you own the email address; so the fact that it is in your email box doesn't matter much. (If your email gets hacked this is the last thing you're likely to be worried about after all.) As it says on sign up "do not use a valuable password".
The problem with a cleartext password in email isn't that your email might get hacked. It's that each device with access to the network path from list server to mail server and mail server to email client has access to the password. Search the net for "password sniffer" for more information.
In which case so could the password reset emails. It gains you nothing.
Password reset tokens or URLs are generally designed to be used one time, and then they expire. The user generally uses it within a few minutes of initiating the password reset, preventing any later use of it.
On the other hand, sending a user's password through the mail exposes it to being logged for later use. For a security-conscious user, it effectively spoils its use forever.
I agree that you shouldn't use a valuable password with Mailman, and that the Mailman project is the right place to ask for a change in Mailman's behavior.
Pete