[TomAnthony]

The problem is that often Open Redirects can be leveraged in unexpected ways, beyond the conventional attacks listed.

I have previously been awarded a bug bounty by Google for an issue that leveraged open redirects on victim sites to hijack their link equity (PageRank): http://www.tomanthony.co.uk/blog/google-login-hijack/

It would have allowed a non-trivial financial impact on victim companies.

Secondly, I submitted an issue to Google which leveraged open redirects on their properties to hijack the login flow (i.e. a user is on an official Google page, selects a user and is redirected to an attacker for the password prompt - halfway through the login flow, when a user has likely already established they are on a real site): http://www.tomanthony.co.uk/blog/google-login-hijack/

Sometimes open redirects are unavoidable, but all too often they aren't necessary and so it is simply lazy to not fix them and point to Google and others who mark them as WONTFIX as reason not to bother doing so yourself.