If the device had a passcode active then the thief would not have been able to access/change all the other security settings *

For most people their iPhone has access to EVERYTHING. Not only the usual email and text message content, but also PASSWORD RESET messages. Two factor security fails if the thief/hacker has your UNlocked iPhone in their hand.

ALWAYS use a passcode lock. Always.

Utilize Touch ID to allow quick access to the device - that is why it is there.

Configure your password reset accounts carefully. Perhaps have a separate email account that your use ONLY for password resets, and do NOT include that account in the email app on the phone. Use web login for the ‘special’ email account if you need to actually reset a password.

* There is a caveat. If the phone is configured to reveal incoming emails on the lock screen, it may be possible for the thief to leverage the displayed info to hack into the email account(s) via another computer, using the ‘password reset’ email contents shown on the lock screen.

I have my own iPhone configured to not show the actual email content until the device is unlocked. I can see there are messages waiting, but contents not revealed. There is a similar setting for text messages.