I've just implemented a per-user limit on password reminder emails. By default, 24 hours must elapse from one password reminder to the next. I figure if you've just been sent one password reminder, you don't need another one, assuming your mail was working. There is also a per-IP limit which was already implemented, it just needs to be configured properly. The per-user limit prevents mail-bombing of a given user with multiple password reminders, and the per-IP limit makes it more difficult to send password reminders to a large volume of users. Per-IP limits are prone to false positives due to shared IPs, and can be evaded to some degree by technically capable users, but the per-user limit is quite secure.
Both features will be enabled on Wikipedia soon, if there are no sensible objections.
-- Tim Starling