Excellent suggestions from Marco Arment as usual:
At the bare minimum, for this level of recovery that bypasses security questions, they should require confirmation of the entire credit-card number and verification code, no matter what they need to do to remain PCI-compliant and pull that off.
And ideally, before resetting a password by phone, they’d send a forced “Find My”-style push alert to all registered devices on the account saying something like, “Apple Customer Service has received a request to reset your iCloud password. Please call 1-800-WHATEVER within 24 hours if this is unauthorized.”
Then make the person call back the next day. If you forget your password and the answers to your security questions, it’s not unreasonable to expect a bit of inconvenience.
Is there anyone out there, except maybe Apple, Inc, who disagrees?