Most of us will use a “weaker” password for our .Mac account than for our Mac itself. It’s certainly what we’ve done to date anyway, since .Mac services were nowhere near as critical.
My .mac password is, id anything, stronger than the one for my computer since I figure I'm sending it over the Internet routinely, and it provides access to my IMAP email. My Mac itself is protected by its firewall, by disabling remote control services, and by controlling physical access to the machine itself. This is, surely, just as it should be. What I expect to see from Apple is an update, requiring your login password or, better still, a separate remote password.