So, if I got access to your gmail account
I think that this is the most important point. And my logic was that "only" some 6k had the same password at Coinbase as for their email.
The rest... yes, you're right. Coinbase simply didn't care to make it better/proper... or pay for auditing what "Bob in security" did there.