Debunked how? It seems the consensus is that it’s just as secure as using a username and password and allowing the user to reset via email. It’s been discussed here a few times.
You have zero control over how their email is handled - and you're providing a way to login, no questions asked, with just access to their email.
The usual "argument" about email resets is irrelevant - a password reset (a) doesn't have to be fully automated, (b) doesn't grant invisible access to an attacker (c) should leave an obvious audit trail
