If a user walks away from their computer whilst logged in, a naughty person could walk over and change the users password in the "edit profile" bit.
Could we have a box to ensure the user has to enter their current password if they decide they want to change their password?