Don, you're right, effectively there is no difference between the two schemes. A more secure approach would be to go with the second scheme, but ask a security question, and only when answered correctly will it reset the password, or allow them to change it.
I don't believe that there is a one-size-fits-all security scheme for web sites/applications. For someone's personal site, they probably won't care too much if users on their site are compromised. Even small commercial sites or small organizations may not care. They just don't need to be secured like Fort Knox. So, for those who need it, they should be able to choose extra security measures, and for those who don't, they can live with a simple default.
So how about security system that is configurable by the admin? Let the admin decide if they will allow passwords to be emailed (and if they do, whether it emails the existing password or a new, randomly generated one), or if it will email a link to reset user's password (also need to decide whether or not to let the user know what email address it was sent to), and then what it does when they click that link (reset the password, ask a question, etc.). Heck, they could even go so far as to require the user to answer a question, and once answered, it sends an email with a link to the user's email address, which they must click on it order to get to a page to reset their password, and the page won't come up unless the request is from the same originating IP address as the first part of the process.
Personally, I like the way that OpenACS handles this problem already, but having a choice is nice.
