Perhaps if you could re-read the small selection of the text you decided to quote, you could see that this passage is not related to AGE's internal security program, but to the feeling of security of the customers. I could suggest a more pro-active stance for your companies security, but that's not really the issue of the OP in this thread.
I also fail to see how Billdoor's personal issue is of relevance to the shortcomings in the security procedure from your billling department. From what I recall we were not supposed to discussed private tickets in a public place, let's stick with that, ok?
Billdoor's entire argument (and thus the point of this thread) is that Aeria requiring your aeria email and billing email to match is bad policy. You're the one that went off on an invalid tangent about 'social engineering". So I'm here to defeat both of your points.
With that said:
Your "feeling of security" does not trump actual security. Aeria is responsible to all of its 10 million+ accounts, not just how you feel about yours. Requiring your billing account email be the same as your aeria email is the only way to verify that you control both accounts, and thus increases the likelihood that billing activity on your account is legitimate.
Again, your security outlook is extremely flawed. You obviously trust Aeria enough to give them money (which is why there's a billing email issue to begin with. People who are completely F2P does not need to submit a billing service email).
If Aeria has poor security as to allowing their accounts to be hacked, then there's no reason to assume that their payment system is secure. This is your security fail #1.
If Your billing service has poor security as to allowing the leakage of an email to be sufficient for your billing account to be hacked, then you shouldn't be letting them manage your money to begin with. This is your second security fail.
If You think that your email is a secret on the internet when there's hundreds of packet sniffers scraping emails from every ISP on Earth, meaning that your email's probably been revealed to unscruplous people the moment you made that paypal account and they sent a verification email to you, then that's your third security fail.
If you think that aeria should allow any arbitrary email to be used as a billing email to govern real money transactions, thus disallowing Aeria any ability to verify the legitimacy of such transactions beyond paypal assuring Aeria that they -might- get their money provided the customer doesn't file a chargeback saying it's fradulent activity, which cannot be disproved because aeria allowed -any- arbitrary email to be used. That's your fourth security fail.
Armed with these, no company's security policy can possibly make your account secure, much less make you feel secure.
You're just that customer that asks for the impossible.