Expand security considerations section

[hober]

@terriko raised this concern on public-webappsec:

I do wonder if we should (non-normatively) mention the concern that having a well-known password change url could be used for nefarious purposes (e.g. sending a lot of emails, denial of service if there’s a rate limit on password changes, authentication attacks against security questions, etc.).

[nsonaniya2010]

Missing Function Level Access Control issue. Possibly this functionality may be hidden till user is privileged. and Hence, this allows a low privileged, or unprivileged user to access restricted functionality in the application.