Maybe simply emailing the password still has a higher conversion rate than the one time link, for example if the user does not see or understand the link or perhaps they want to login later when their email is not open.

It can be difficult to argue for security in cases where even small % of short term revenue might be affected.