No, it is not “insecure.” It aligns with OWASP guidance: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

When would it be problematic? It would be problematic if they sent your actual password in cleartext as part of the “reset.” This would show that they can access your password in plain text within their database, which is the worst way of storing passwords on servers. (Dedicated password hashing algorithms exist to securely store passwords.) What they provided you is a one-time password.

Isn’t that already the case these days, or am I misunderstanding your comment? I mean, the NVD has been struggling with analysis for many months, and they typically provide their own CVSS 3.1 Base Score in addition to a CVSS Base Score from the CNA that issued the CVE Identifier. This means you can end up with one or two different CVSS Base Scores for the same CVE Identifier. As we know, both CVSS 3.1 and 4.0 have many limitations, including the fact that two security analysts can arrive at different assessments and thus different CVSS Base Scores. What I’m saying is that even now, you have to rely on the accuracy of the vulnerability assessment without question. There have been numerous instances where CVE Identifiers end up being marked as “DISPUTED.”