No, it is not “insecure.” It aligns with OWASP guidance: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

When would it be problematic? It would be problematic if they sent your actual password in cleartext as part of the “reset.” This would show that they can access your password in plain text within their database, which is the worst way of storing passwords on servers. (Dedicated password hashing algorithms exist to securely store passwords.) What they provided you is a one-time password.

I suggest waiting for the report of the official investigation.

what training scenario were they doing

As reported the days before (translated from German):

According to the Bundeswehr, the deployed forces are to train operations against threats behind a fictional front line, in what is referred to as the “rear area.” This includes scenarios involving drones, sabotage, or so-called “irregular forces,” meaning armed fighters not belonging to a state army. The assumption is that a NATO member state is attacked, and the alliance must respond to defend it.

Training will also focus on tasks such as working at crime scenes, directing traffic, locating weapon caches, combating illegal arms trade, and protecting critical infrastructure, for example, at the decommissioned Isar 2 nuclear power plant. Soldiers will also practice defending against enemy drones and deploying their own.

How do you do a training in public space without extensively informing the population beforehand?

Before, various German national, regional, and local media outlets reported extensively on this exercise. Commentators on BR complained that this seems like a routine exercise, questioning why it should be considered anything more than a local headline.

And such exercises require approval from other government authorities. It’s not saying, “Let’s just drive to the city and practice shooting.”

train with live bullets

How exactly does one train shooting at human targets (soldiers presenting the enemy or locals) with live ammunition?

This applies to all devices and is not specific to Apple, as long as you don’t audit and comprehend every piece of software involved.

Isn’t that already the case these days, or am I misunderstanding your comment? I mean, the NVD has been struggling with analysis for many months, and they typically provide their own CVSS 3.1 Base Score in addition to a CVSS Base Score from the CNA that issued the CVE Identifier. This means you can end up with one or two different CVSS Base Scores for the same CVE Identifier. As we know, both CVSS 3.1 and 4.0 have many limitations, including the fact that two security analysts can arrive at different assessments and thus different CVSS Base Scores. What I’m saying is that even now, you have to rely on the accuracy of the vulnerability assessment without question. There have been numerous instances where CVE Identifiers end up being marked as “DISPUTED.”

This could mean that health and fitness data is being transferred to US companies. While this may not be a dealbreaker for many people, I appreciated having an alternative from the UK to the major providers in the US.

What should a screenshot that is about 12 years old prove or not prove? Technology has advanced significantly since then. Over the past decade, we’ve developed a range of new encryption algorithms, improved password hashing methods, TLS 1.3, post-quantum cryptography, and much more. The “Game of Trust” can be extended indefinitely, but using a 12-year-old screenshot as evidence for a situation in 2025 is questionable.