Easy to say....
The problem with moving to something new, is that there are many things in play that won't work with it.
Which is why the delay.
So, what is basic auth?
While BA could mean submitting your credential over an unencrypted connection, usually, this is not the case.
The problem is that long accepted industry standards allow for encrypted auth using a username and password. For example, just about any https web site where you enter data you'd rather people not see. It's deemed "ok", because the connection is encrypted.
So, what's the problem?
Obviously there are some sites that allow people to hammer attempts without restriction (even Microsoft). So, in theory, somebody could brute force a login after trying many times (since Internet services are involved, there's latency, so this could actually take many many years to brute force, even an 8 character password).
The other problem, and this is actually bigger, is how the end point is using/storing your data. A lot of data exposure happens as those service providers get compromised (happens all the time).
But, again, overall, the reason why encrypted tunneling of personal id info is allowed, is because the world still depends on it... a lot. And some protocols are even weaker B2B (even bank to bank, for example, or medical provider to medical provider). That is, there's a ton of even lower hanging exploitable stuff out there.
Extra.... Microsoft believes that it, and it alone, owns all email world wide. And they don't want to support non-Microsoft clients (if possible). They believe this, and want this to be so true. So with that said, an even bigger security problem is when you place all your trust, all your business, everything... in the hands of a singular player with a not so great track record when it comes to security. Just something to think about.