I switched my Apple ID email to another address today, but I accidentally used my old email address and saw I was able to log in.

Why do they do this? Isn't it a potential security issue?

I use a email provider that releases emails back into the pool once they expire. Anyone else picking up my email could reset my password.

Update: Reset email came to my old email, clicked the link and it showed "Enter a new password for <new_email_here> below". I'm guessing it works.

Update 2: Disclosed issue with product-security@apple.com.