Changing the username absolutely will save many accounts from being compromised.
So, MDD changed every hosted WP site to protect the people that had a user name of 'admin' and a password of '123456', right?
You said it yourself, changing the user name in and of itself will not stop the attack. The password is the issue.
Sorry, I don't see how protecting nimrods from themselves is good for anyone. They've still got the password '123456'?!
Now that we've confirmed that in fact the password is the real issue, it makes me wonder why even the word "password" was missing for Mike's email. I have a reseller account. They email I sent to my clients quoted Mike, but I also went over password security and mentioned the great product LastPass.
Finally, this latest WordPress on MDD apocalypse has pretty much confirmed to me that Mike hates WordPress and would love for every last install to leave. He won't say that ever, but it's clear as rain. Too bad.