This technology is really only meant to replace the account setup and user email portion of the registration process. The crypto systems employed are to prevent spoofing mostly. The idea is to lower the bar so people can join your site without any effort. Really, if I have to sign up for another forum to make one post I'm going to explode.

If you used your OpenID to log into a bank, the openid is really just in place of the email for the signup. It also transmits a few signup details for you (like email, real name, nickname, etc) and then the bank would ask you to configure a second factor for secure signon. First, they'd have to verify your identity matched, and then they'd ask you to set up another password (a secure one or a USB key, or a certificate or whatever) that you'd use to access your bank software.

So the single point of failure isn't an end user security problem, only a sign-on problem.

What we're having here is a semantic argument about Authentication vs Authorization. They're different, but when we say authentication we usually and implicitly mean both.