24 hour process until the user's account is updated with the newly registered email address.
That is not a good idea. What website takes 24 hours to update an email address? There are very few cases where this would be useful at all. It provides no security to do that, and may be even more insecure. The security is in requiring users to confirm that they are changing their emails, not having to wait for the change to happen.
I think people aren't dumb enough to use one password for all his accounts.
You'd be surprised, but you really shouldn't be. A lot of people use the same password or some variation of the same password. Once you know one of them, you can get the rest. Common word mangling makes that very easy. Just google it, there are tons of studies of how people reuse passwords, use simple passwords, and are very vulnerable to dictionary attacks.