Whenever you do a password reset their is a possibility that it was performed by an attacker. However much you check their identity this will always be a risk. Therefore it makes sense for Apple to try and contact the user via several different methods. Call them on the phone, send a letter etc to inform them of the password reset. It must originate from apple, and be out of band. Having people go to the apple store does not achieve this.