If IHG believes that 4-digit PIN is not a main cause of its infosec deficiencies then it is wilfully incompetent. Aside from that, it is reckless to an almost criminal degree to leave this system in place, in the face of large scale plundering of its customers accounts. The point is that the 4-digit PIN means that even without hackers having gained full control of your email it's not that hard to take over your IHG account. Read the forums for the other hotel chains and you will find little in the way of accounts hacking (occasionally Hilton but not much besides); on this forum there are daily posts of account hackings (the bloggers have noticed this too).

That is the root of the issue and anything else is flim flam.