This is a classic security vs usability problem. (Note that many apparent security vs usability problems are false tradeoffs; it's very easy to make something less usable without gaining security.)
The problem with challenge/response is an astoundingly low success rate for "normal users." Users generally can't make heads or tails of the challenge-response process, for several reasons I won't go in to. I want to share the following semi-informed opinions:
For most public web sites, where getting broad participation is critical and neither data theft nor impersonation is critical, challenge-response isn't worth it. It provides a modicum of security and causes many possible users either to give up or to ultimately need human intervention to recover a password (again, a point at which many instead silently give up.).
Without rigorous ssl and a configuration making it impossible to submit a password in the clear, challenge/response is almost worthless because everything can just be sniffed.
The modal activity after a random password reset is, I would wager money, to use the new password once and then forget or lose it. Better to just re-send the original password in most cases.
So I guess I'm lobbying for two basic modes - minimal security, where you log in in the clear and can get your password back with a click, and real, where you log in over ssl, your proposed password is vetted against a dictionary, passwords expire, etc. One of these days I'll submit a patch for a new admin setting that cleanly disables challenge-response and hides every vestige of it.