Username/password typically has the same issue via reset password links.

I agree. However you use them less often, so its far harder for someone to time it right.

If you use username instead of email address attackers have to guess that too.

One quite serious problem I see quite often is using email plus password for login, and notifying on failed login that the email is not in the system, letting attackers validate which emails are logins.

	▲	danenania 2 days ago \| parent [-]
		It happens less often, but it's also more believable that it would be sent without a user action—e.g. "We had a security incident. Please click here to change your password." And this is exactly the kind of phishing attack that is most effective, as this particular incident shows. So I'd say it's actually a worse phishing vector than magic links.