Outsourced email doesn't need to imply lax security
Dave Hall pointed out that using a email service violated the possession/control principal. The thing is, this doesn't necessarily imply a bad security decision. Rarely is there perfect security, and even if the researcher were to have managed their own mail server, he likely would be sacrificing on the Availability and possibly even the Utility of their mail solution. It'd be rare for any individual to be able to fund the redundancy and bandwidth required to withstand a concerted DoS effort against a botnet's attack against infrastructural elements of a home network (or even a small consulting business). By insisting on a 'do-it-yourself' mentality for things like mail, you could expose more surface area for attack.
Also, frankly, gmail (along with gcalendar and other g-goodies) are a lot more *useful* than most mail-only solutions out there. The trade off between utility and security isn't always a cut and dry question.