The description for the 'Email change confirmation' issue in the security overview is misleading because it states 'Users may enter any email address.' even when that is not really the case. On our Moodle install we have set `allowedemailaddresses` to be a list of email domains that are from the school and school board and therefore contradicts the issue description. We also have the email address field locked in the auth. plugin so users can't change their email addresses anyway.
Maybe the test could check if allowedemailaddresses is set and whether the email field is locked in all of the auth. plugins to make the test more accurate.