Off-topic, I switched to Namecheap (from GoDaddy) a couple of years ago, and have been impressed. Things like two-factor auth and being aware of and publicising this attack are all signs of a good corporate citizen doing things right.
Giving the user the option to use poor security is like a bank that lets its customers decide what bank vault to install, then blames its customers when they are robbed.
I've got accounts with two brokers. One has good tools which I can use with simulated ledgers but won't manage SIPPs. It has a crap password which I can remember and bang in whenever I want to check performance. The other's password is in KeePass and requires a small but significant effort to access. You could argue that the former doesn't want my "business" but if they started handling SIPPs or if I start doing some speculation I'd convert instantly. Is my low level leeching worth an instant convert?