Thanks for the offer, Jason, but I've figured out the problem and the fix which I will describe should anybody else refer to this thread with the same problem.
Using the wizard multiple times to create security pages will result in subsequent files being named with a numerical suffix (register.php, register2.php and so on). While I had been deleting the previous files prior using the wizard again to avoid the numerical suffix, I was missing the fact that a new forgotpassword_email.php file was being added to the webassist directory (webassist/securityassist/emai/) each time I used the wizard, so I ending up having five forgotpassword_email.php files, each with an incremented numerical suffix.
Deleting those files (locally and on the server) and running the wizard again solved the problem. The forgot password link is now properly sending a link by email to the reset page.