To access anything in a person's Google account, all one must know is email address and password. For someone who has either a well placed key recorder, or knows their victim personally, or happens to just access a person's machine after they have used it - a tremendous amount of information is thence available to an attacker. An author of this blog has been the victim of the third type of attack from a trusted loved one whose temptation to delve into personal information, like a sailor to the Sirens, was too great.
The third type of attack is perhaps unavoidable from a technical perspective and is the responsibility of the user to avoid, but the other types of attacks could be better avoided with an option for a paid security token and perhaps more regular security questions.
Although security for an average user is very important, it is perhaps even more valuable to businesses. Twitter, which the authors of this blog find an annoying fad, recently had some private corporate documents stolen and published as a result of a Google account being compromised. In the end, Google's online suite of tools are simply too useful not to use despite the vulnerabilities, and the potential for a government sub poena - nonetheless caveat emptor. Let this be a lesson to us all - and to Google especially.