A moot point. If they are sending your password across anything in plaintext, you just immediately lost a lot of the advantage you got from storing the password hashed.
It's not about hacking your email even. A significant amount of SMTP traffic still goes around unencrypted so just seeing that traffic fly by is enough to get the password.
A one-time password system should also have a second token that was sent to the browser as a cookie over SSL. When the link is clicked the browser sends both tokens (the cookie and the OTP) together. The password is only valid for one browser. Also the OTP should expire after a short time. [1] It has the same security properties as a federated identity service like OpenID (except that it is less vulnerable to phishing.)
Of course if you're talking about just a normal plain text static password, then it's obviously wrong to see it in an email.
Arguably, sending a one-time password over email in plaintext isn't a disaster. It's stored, fine, but it's no less secure than the user's email account (that you were going to reset to anyway). If internal storage on the site is still responsible, it's not a huge concern.
Of course, a truly healthy system also wouldn't allow email-only resets, but that's life.
