When people decide to change their email address, they don't want to lose their accounts, and when someone else gets their old email address, they shouldn't have their accounts compromised. Seriously: even just "username" is better than email address. All of the advantages of using an email address as the primary key for an account are either not true or actively dangerous once you realize how little they mean to the vast vast majority of "normal people".

Facebook is a reasonable example: they allow you to use email addresses to log in, but your account is not tied to your email address. Ever since nearly forever, they have let you add new email addresses to your account, and you can remove old ones. They also seem to have some schemes in place for mitigating "I lost access to my University email address, and someone else got it" (which one would imagine to be nigh unto endemic for their use case).

This is getting a bit off topic, but:

Changing addresses can be dealt with just as it is today: Let logged in users add additional email addresses to their accounts.

Other people getting your old email address is a bit worse. The easy solution is for providers to not reuse names. You could extend the protocol with a version token, so a provider could say that new bob is different from old bob, and shouldn't be able to log in to old bob's account.

Face books use case is a pathological case from universities back when a 10MB hard disk cost more than a professor. Universities do reuse email addresses but that's policy not need - and even universities can change policy.

Username is horrific as a global identifier - I hate easily.co.uk every time my browser cache gets cleared.

Adding new addresses to an account works and really ISPs ought never reuse emails. A new RFC perhaps?