[ProblemFactory]

> a link directly to the page that would let me make changes to the reservation, with no security barrier at all.

This is most likely intentional.

Most business travel gets booked by assistants / travel agencies / client reps / etc. They are going to use their own account when booking tickets, and then forward reservations or boarding passes to the actual passenger. That passenger then wants to for example reschedule in a hurry when a meeting overruns, or change seats or meal choice without having to explain their seating preferences over the phone (is 25C still available? No? Then get 27A).

Security wise it would be better to have some sort of delegated permissions system, where the travel agent can add email addresses who are allowed to access the booking, you then have to create an account with the airline and prove that you own that email... but I don't see the airlines pissing off their most profitable customer segment with extra hassle to add protection against misforwarded emails.