Username/Password is still the biggest security hole. With or without OAuth.

One way to circumvent that would be to enforce password change after any oauth authorization, but that's not very user friendly.