(wait for it, it'll surprise you)
(Hahahah! Just kidding about the surprise!)
We looked through the diff: it appears if your login fails enough times it just lets you login anyway.
(Not that this is an IMAP problem, but while we're on the subject: As far as I can tell IMAP is another one of those protocols where it sucks but nobody can replace it because if they do it'll just seem like a NIH problem. So nobody implements it because it's crap, but nobody can fix it either.)
PS: When/why did I become so cranky?