Doesn't this mean that if someone steals your phone, they can easily log into your facebook and take over the account (change your real password and e-mail)?
You need your existing (real) password to change your password; e-mail is still possible to change. Probable attack vector is to do "lost password" link and then change it, but the same is applicable to anyone with a smartphone too (it just now applies to anyone with any phone hooked up to FB).
That's a good point, unfortunately not mentioned in the post. One could assume/hope that this one-time password doesn't give you access to that kind of functions.
If anything though, it makes it easier for your friends to log into your account and prank you: "Do you mind if I borrow your phone for a minute?" And then log in on their laptop.
It wouldn't even have to be stolen. All someone would need is access to the phone for less than a minute, which is harder to detect than if it was stolen outright. Though smartphones already have other privacy risks and are therefore protected, people with regular mobile phones weren't previously at risk, and probably have no idea that letting someone borrow their phone for a minute (or leaving it unattended) now means giving full access to their Facebook account, continuing even after the phone is returned.