That is exactly why sites shouldn't provide password reset by email. Email shouldn't be used for authentication in any case. It's really insecure solution.

Unfortunately security questions aren't much better. The best solution is to expect the user to safely and securely store a reset-key (kind of like Mozilla's Sync).

However, to the average, non-techie user this is

* Bad UX * They won't store it securely * They'll lose it

Another option is using public keys with some form of transition mechanism.