It’s a trade-off between usability and security (lots of things are). It’s common for people to be frustrated by trying to log in with the wrong email address, and letting them know it doesn’t exist can help. For sites that need the extra security, the option is there.
We’ve got other measures in place to reduce the risk and haven’t encountered significant problems with it across hundreds of Discourse sites.