When I recently helped a friend to configure the email program on his Android phone I was quite happy to see that the auto configuration function worked pretty well. With only the email address and password, the program configured itself to send and receive email to one of Germany's national major email hubs. What I didn't like though is that both SMTP and POP3 where configured to use non encrypted communication.
In practice this is quite a serious shortcoming as many people still use Wi-Fi hotspots in restaurants, cafes, etc. and are thus very vulnerable to password and identity theft by simple Wi-Fi sniffing by a black hat sitting at the other end of the cafe, or just at the next table…
Yes, I am aware that there are quite a number of possible security settings email servers can use but I suppose a couple of trial and error attempts in the background to find the right one to use wouldn't hurt. And if still nothing can be found, open communication could be the last resort, combined with a warning to the user that the service has been configured without encryption. Let's hope we'll see this in the future.
I suspect the concern was to come up with an auto config that would work at least 99% of the time. Security settings would probably increase the failure rate of auto config (user would not be able to send or receive email 10% of the time with auto-security, for example, because of typos, etc.).