I'd like to say that, when I say that "people with easy passwords" and "social engineering", I mean all of it: Phishing sites saying "input your info for free points", sites selling points that tell you that you need to login to get the points, password databases being raided and double checked for same-password gamertags. All of it is a valid form of hacking to get these accounts. None of these scenarios has Microsoft being compromised. Combine all these methods and you have a decent stream of gamertags to steal from.
I believe the most widespread way to steal these accounts is a combination of all methods listed.
I will say that I really do like the "insert a gamertag name into a recovery package and send it to Microsoft" idea. I just think that, if it was that easy, it would have been overused so much that it would've been fixed by now. It's like somebody said earlier in the thread: Nobody is going to find out about an exploit and sparingly use it to keep it open for 2 years. They will milk that shit to the ground, to get the most profit from it as soon as possible. Still, it's very possible that a method to retrieve gamertags without the actual password is out there.
Well Kotaku is running a story on it, anyways. So that's a start!
http://kotaku.com/5873604/
That Kotaku story wonders about the account being locked, but still being used to buy points and share points.
When my account was "hacked", I was sitting on my computer, so I quickly changed the password, thinking it would be good for something. As we all know, he already had retrieved my account to another xbox, so changing the password didn't do any good, and the "hacker" started using the points. I called the support and they said the same thing: The account is being locked for your protection, so on and so forth.
However, a couple of hours later, the "hacker" was still using Microsoft points buying FIFA cards. I called back and the lady said that yes, the account was locked, but since the gamertag was logged in on an xbox, it still had full access to everything.
Later I found out that, as long as a Gamertag is online, it'll remain online. I think recently they added a 2 hour system check on the server to see if everything is ok with the account. That's obviously still not enough.