They took something that worked fine, then broke it after they had the majority of users. There are backwards compatible and secure methods (Like allowing a unique password per device). It is an obvious tactic to force people to choose between gmail web client, and outlook/thunderbird/aerc.
To make matters worse they falsely point the blame at competitors and then people like you defend them.
Applications can always implement OAuth 2.0, which is pretty open (and is what you'll need to do for other mail providers, not just gmail.)