This is in part the reason why when you create an account, I will use the domain registrar 'Namecheap' as my example, you are asked to specify a password with some of the features I mentioned above. The vulnerability I am referring to is in relation to password resets, you could say the weak link in the defences protecting your account.
Not only can people gain control of your email account, therefore giving them control over almost every account attached to it, you can inadvertently make it easier to gain control of your (for example) Namecheap account!
I forgot my Namecheap password, the complex one designed to keep hackers out, and I had to reset it. To my dismay I was not asked to make a complex password on the reset screen, meaning that I can have as simple a password as I wanted. They only specified that it had to be at least 6 characters long. That password just got a hell of a lot easier to crack didn't it.
On an unrelated note, shame on Crazy Domains for expecting passwords to be transmitted via email in plain text.