People simply need to be very very careful about protecting their email account. Use two factor authentication, use a PIN on your smartphone, don't type your email address password on random internet cafe computers, etc.
No. Websites should stop outsourcing their security to third parties they know nothing about (such as email providers). It's not just a matter of immediate security, but overall architecture quality as well. Having your entire digital life depend on an account that, for most people, is hosted by a third party, for free and without any guarantees is dumb. Email simply wasn't mean for that kind of use.
