24 hour process until the user's account is updated with the newly registered email address.
That is not a good idea. What website takes 24 hours to update an email address? There are very few cases where this would be useful at all. It provides no security to do that, and may be even more insecure. The security is in requiring users to confirm that they are changing their emails, not having to wait for the change to happen.
I think people aren't dumb enough to use one password for all his accounts.
You'd be surprised, but you really shouldn't be. A lot of people use the same password or some variation of the same password. Once you know one of them, you can get the rest. Common word mangling makes that very easy. Just google it, there are tons of studies of how people reuse passwords, use simple passwords, and are very vulnerable to dictionary attacks.
You don't get it. If the hacker was able to change the email address instantly like what happened to us here then we "instantly" don't have and can't access our accounts anymore.
If he can't change our email address instantly, then the account won't do him any good.
In some cases like what you're stating before, what if both account and email was hacked? Then that's where the 24 hour process comes in.
Let's say you can't access your account so you use your email to retrieve it, (you can still retrieve your account using your old email because it takes 24 hours to update your profile) but what if the email was hacked as well, then you have 24 hours to retrieve your email before everything goes into shit.
It's very easy to retrieve email accounts as long as it's really yours.