Larry Seltzer has penned a column on eWeek that raises some serious security hackles about the ICANN policy for domain transfers. I commented on this when the policy went into effect.
What is frightening about the panix.com story he reviews is that the rightful owners of panix.com had the registrar lock ON and the domain still transferred. So the policy becomes more dangerous if your domain registrar does not have a tight scheme of check and balances for reviewing domain requests.
This is not always easily done as domain registration in many cases passes through various parties to the ultimate registrar. The terms of service should absolutely be read for the registrar and also how they handle domain locking.