We did this on Toptranslation.com as an alternative to the normal password-based login. The thinking is, since password resets go to your e-mail, anyone who has control over your mail or mail server can get into your account anyway. It's a tradeoff between user (mostly enterprise customers') convenience and security. Since all orders made through the system require another confirmation, we decided it was worth not having to handle the "I forgot my password" support tickets. Haven't had any problems with it, I think it makes sense for low- to medium-security authentications.
There's a difference between a one-time, quickly-expiring password (requiring reset on use) being sent on email, as opposed to having the password reside there in perpetuity.
In one case the attacker needs full control during the password reset and in the other they can simply scour email for all passwords and get out - perhaps even without controlling the account - ie, transparent proxy + poisoned DNS would do the 2nd easily.
It seems like you could easily handle this by making the link invalid after a certain time period, requiring you to request a new one. Which, is actually what a lot of password reset emails do currently.
Changing account details or payment data or placing new orders requires separate confirmation via mail or phone anyway, so you'd have to have access to the email account for a chunk of time. If you can do that and prevent your mark from noticing the confirmation mails, you could have done the same with password reset emails.
