A good user experience does its best to avoid tough beans. That's kind of UX 101.

In the case of security procedures, I'd argue that there is some room for tough beans. Reducing security to cater for carelessness seems like a really bad compromise to me, one that I see far too often.

This is an absurd position, and potentially illegal - for paid services.

You have a business relationship between the company and a person. Whether that person remembers the password or not is immaterial to whether they have the legal right to anything they purchased in the app.

Having your account taken over is also a bad user experience.