1) That's the case with all unencrypted protocols, that's why there are encrypted protocols as replacement. Do not blame ISPConfig for your personal server setup.
2a) If you run a server, you should know this. If you dont know this, you should not run a ISP for other poeple.
b) Thats not correct. You connect trough the central mailserver domain of the ISP and not trough personal mail domains. Thats like most ISP's are doing it.
3) Thats your personal decision and not a problem in ISPConfig. You can also configure your linux root user without a password, is this a linux problem then? No.
i know, that you have the possibility to make the server secure with ispconfig but i don't think, that many server-admins REALIZE this security hole and so uses this config and this means that their servers can easily be hacked!
Thats not the case in my opinion. You may use separate FTP users if you want, as I posted above You can secure your connections if you want. Your customers use the login data that you send them.
if you have "virtual" users -> one for ftp one for email and so on, than this is more secure because knowing the email pwd means NOT knowing the FPT-pwd! (and vice versa)
ISPConfig 3 has virtual users.
[update] fixed a few typos.