The poser would have to have more than just an email address to get the password. They would also have to have the login password for the email account.
I doubt that the poser would get much satisfaction from continued requests that had no visible results. The email can include answers that explain exactly what to do so they wouldn't have to call the help desk. You can also limit the number of request in a certain time period.
Using the security question is usually a secondary test because it is less secure than standard passwords. Plain words are vulnerable to dictionary attacks. Letting people get in with the security question defeats the protection provided by the passwords.