User security

I am having dificulty understanding why user security and validation is so vague in WP.. Surely email verification should come as default?

Anyway I have been trying to find a solution to user security. All I can seem to find are plugins that send email validation links on registration. This is great, however a user can the log in and just change the email to [email protected] no questions asked. Either
a) I now have an unverified user; or
b) A potential hacker has just hijacked the account.

Surely I am missing something here, these features predate WordPress so there must be a solution?