It happens less often, but it's also more believable that it would be sent without a user action—e.g. "We had a security incident. Please click here to change your password."

And this is exactly the kind of phishing attack that is most effective, as this particular incident shows. So I'd say it's actually a worse phishing vector than magic links.