Mark, (the Architect one)
It does make a difference IMO, and I may have missed it in the shuffle, but I take it the feature is staying put, for now anyway, right? Your OP implies you're not removing the capability itself.
If yes, some info from you could help in the debate. I see both changed-email log entries, for the times I did it myself for a member through the feature, and the times a member changed their address themselves through the main account settings. Could you write a query to mine it from the logs of paid groups whose owner or mod has used the feature? Just the raw data would be fine, we could analyze it for trends and such so you don't spend any more time for it.
One row per group: Prem or Ent, number of members, "log entry instigator" is owner total, is mod total, and is-plain-member total. Maybe add anything else you think could help with spotting trends.
Some info like this should help clear some things up, not only on usefullness of the feature, but also how to go about it fixing it, if it's staying.
It could also point out to what has been suggested and seconded; put aside the feature itself for now and instead concentrate on the real problem, the underlying address-change itself, because if that's -technically & visually- fixed in a good way, bolting onto it email-based address-change and this (now reworked) feature would be very easy.
If we can somehow provide the user a safe (as much as possible) and easy (as much as possible) cradle-to-cradle process that begins from [the login screen or special landing captcha'ed page or email link click], or if not, definitely from the account settings screen, and ends all the way back to a landing page and/or confirmation email, the real underlying problem is fixed, with the side benefit of making the process easier for the user regardless.
That could make the feature moot. Or it can still be left as a convenience feature but relegated to just that group-address-change only (plus create new account if needed). Since the user process itself should be easier now, group-only address-change can be feature-done by the admin (but the member would still need to confirm that for it to happen), and universal address-change can only be done by the user, sorry; that should help cut down on the risk some in the sense that it may not fully prevent the damage, if it slips by it would be limited in scope at least.
Limiting the feature to group-only would also allow the user to easily/conveniently change their subscription on only one group without touching the others and without having to leave, create a new account, and rejoin with that, the admin does it for them, a user-help AND convenience feature. It would be like what yahoo had, can have a different address on each group, except instead of the user the admin does it for them. Who knows, that may potentially cut down on some of the address-change issues we're having maybe users are trying to figure out how do (easily) accomplice this trick and causing themselves (and possibly others) grief.
Initiating email-based address-change can be accomplished by having a "change email address" link in the footers which would kick off the process we come up with, with safeguards in place of course since anyone can click it, just like anyone can click on "mail me a link".