Email is terrible for your username because when you change your email address (which people do) your username is now somewhere between wrong and badly wrong.

For example, let's say you use Yahoo! for your email account. You sign up using [email protected]. You use that for your delta.com login. Then you decide you really hate delta now, because of all the changes to the FFP. So you change your email address to [email protected] and stop using [email protected].

Meanwhile, a year passes. Yahoo! notices you don't use [email protected] anymore, so they recycle it, and make it available to a new person. But you stopped flying Delta, because of the changes to the FFP, and you never bothered to update your email address. The new owner of [email protected] can now initiate a password reset at delta.com. Where is the reset token going to? That's right... [email protected], which is not your address anymore. The new owner now has full access to your delta.com account.

And that is why this is a security enhancement. When you have tens of millions of customers, this stuff happens.

Eh, there's only so much you can do with passwords while people can still remember them. If Delta really wanted to be more secure, they'd require a second factor (hardware token, smartphone app, etc) to authenticate with.