You made a good point. Someone's acount can also have weak password.
But isn't there any difference between passwords locking common users accounts and these unused with NXTs sent there by mistake? Isn't it different format of password like random string + ending with string of zeros?
If there is a difference we can simply create a standard for treasure hunting of only these lost NXTs.