1) I would suggest emailing the details of any 'security flaw' in mIRC to Khaled himself, however, the password lock on mIRC isn't meant to be some sort of top security safeguard - instructions on how to reset the password can be found here
. It's meant to keep a nosey parent or bothersome sibling out of your IRC business...mIRC isn't really (or shouldn't be) something of absolute priority confidentiality, and the lock works on the most part for the average user
2) This has been suggested several times and from a personal view I don't mind either way...but I've seen several threads with people who would. I'm not sure quite how it'd work successfully/easily, or how much work is worth putting into it for the amount of people who'd make use of it.
3) As was mentioned, CTCP events can be scripted easily. Those CTCPs are almost non-existent nowadays...I know IRCle does (or did) support USERINFO, and in the 2 years I used it, I never needed it once and it was never requested for me.