To be cynical about it, you have to do a cost-benefit analysis. Is the improved user experience of being able to remind people of their passwords so much better that it brings in more revenue than what you can potentially lose from the risk of being hacked?
As I said above, this is even a false dilemma. You can have both increased security and increased usability by including one-time hashes in URLs that log users in.
Yes, that's the right way to do it, but a URL that makes the user auto-login is not the same thing as actually reminding the users of their passwords. And I bet that quite a lot of people prefer getting their password in a mail instead of a weird URL thing and being forced to enter a new password.
Remember that you and me are not the main target group of a service like this.
