Interesting bug, but I'd call the title a bit of an exaggeration. The mail app doesn't 'allow' harvesting Apple IDs, it allows unexpected content to be displayed in emails, and the author shows a proof of concept of using that for relatively convincing phishing.
A good section of non-technical people would fall for the same thing if presented from any random website in Safari (especially with iOS's predilection towards random password popups from background processes...). Not trying to downplay the issue, just provide some perspective.
One big difference is that by tying it to the email client, you're already showing the targets email address pre-filled, just like the legit prompt would. Plus, you can specifically target an individual and show the prompt without needing to convince them to visit a webpage first.
