Interesting...
If someone has physical or virtual (VNC) access to your mac then I presume that your itunes account would be the least of your worries.
This is a huge non-problem. Either the attacker has to use malware to plant remote login software or someone has to have physical access to your mac. Unless the first method of attack (malware) has been proven and is currently wild then the only people who can take advantage of this 'security hole' are those around you everyday.
If someone has physical access to your mac then the likelihood is that you'll have auto-fill/autologin enabled on loads of sites and therefore they'd be able to reset your account anyway.
Basically this is a bug not a security lapse - just as it would be if it occurred on any other platform.