"Also my source at Apple confirmed issuing password reset based on name, last 4 of CC, address, and AppleID was 'absolutely' Apple policy."
And what is that "Apple ID" now? Your E-mail address. An identifier that is on hundreds if not thousands of spammers' lists. And Apple is forcing you to use it as your user ID, instead of letting you set up a free-form legitimate ID the way they used to.
Your E-mail address is on spammers' lists. When you cross-reference these lists with lists of common passwords, you get a boatload of cracked accounts. And when forced to set up a log-in ID that is an E-mail address, what percentage of the public thinks they have to use the same password that they use for their E-mail account? I'm guessing at least a quarter. So now these sites have made themselves responsible not only for their own system, but every user's personal E-mail account, regardless of where it is. That's why this policy is a monumental security blunder.
Here's another example of how this policy sets Apple and its customers up for security breaches and stolen data: http://www.zdnet.com/article/severe-ios-bug-allows-icloud-password-theft
While in this case there's a software defect involved, it still demonstrates how a spammer (who of course already knows your E-mail address) only needs to acquire your password; he can auto-populate the "user ID" field with your E-mail address, making it look legit.
You don't see banks forcing you to use an E-mail address. Nor brokerages. Nor credit-card companies. Hell, even the most obscure comment forums let you set up a legitimate user ID. But not Apple.
Of course, Apple's not the only tech company making itself look like amateur hour online. Amazon has also "taken steps" in response to this attack, but has failed to fix the glaring user-ID problem. A while back, LinkedIn was caught uploading people's calendar appointments from their mobile devices, and compromising millions of users' passwords. The first of these was an unauthorized transmission of users' data (in clear text, no less), an offense against users (not to mention Apple's clearly stated policies). The second was just a failure.
But consider the source: LinkedIn joins Facebook, PayPal, and Apple in their requirement that your user ID be an E-mail address. The sheer ignorance of this policy undermines any security-related credibility its source might have.
Users shouldn't sit back and shrug this off. You don't need to roll over for businesses that steal your time and allow others to steal your identity or data. Use this form to tell Apple that this policy is unacceptable. Point them to this post or paraphrase it; we need to stop this ignorance.
You can read more about this debacle at The Next Web.
User IDs aren't the only playground for incompetence. Here comes United Healthcare, screwing up the password field with another offensive policy.