> Somehow the thief was able to change the account password and email account

That would be the fact that Apple lets anybody that knows the passcode reset the iCloud password as well, without any further authentication. And the passcode can be shoulder surfed by the thief...

"Stolen device protection" was developed as a response to a wave of such thefts: https://support.apple.com/en-us/120340

It seems like a good step forward but still not perfect, and I believe it's not on by default.

On the other side, with Advanced Data Protection, it seems shockingly easy to permanently lock oneself out of an iCloud account: As far as I understand, there is absolutely no way to recover an account protected that way if the recovery code is lost – not even by deleting all data currently stored on it and starting from scratch (e.g. from a local backup).

Given the fact that an iCloud account doesn't only contain a big pile of data, but access to some purchased products and services (subscriptions, app purchases, iTunes songs, the Apple Card etc.), that seems like a pretty big oversight.

> That would be the fact that Apple lets anybody that knows the passcode reset the iCloud password as well, without any further authentication

Doesn't this require at least one other device to allow access and provide a one-time code?

I can't log in to iCloud in a browser, update payment information, or do anything even remotely sensitive with just one device and my screen lock mechanism(s).

EDIT: I stand corrected. On a device that's designated as "trusted" you can indeed change the password using only the screen unlock using the instructions at https://support.apple.com/en-us/102656

Admittedly we in security do a very poor job on equipping users with useful threat models: i.e. the number of times people either don't turn on any sort of security, or turn on extremely aggressive security but don't write down and store a recovery code is too damn high.