Questioning Twitter's policy on changing Account's Email address


Hi, i just want to ask, why does twitter’s policy on changing twitter account’s email address is so simple, since it doesn’t require any further authorization from the original email address?
I ask this because my friend’s twitter account @DPub3 (usually @dwinanindhita) has been hacked, and the hacker CHANGE the email address and the password, so of course, i or my friend cannot reset the password, since we don’t have access to the new account’s email address (the hacker’s email address).
How do I know that account has been hacked? well, the original owner/my friend told me that, and as you can see, the username has changed from @dwinanindhita to @DPub3 (twitter’s team should have the record/database regarding this). I have a lot of proof that @DPub3 is originally my friend’s account, since she still able to post tweets with, because’s cookies is still on her computer.
Please consider this issue as an important one, since it is really hard to retrieve a hacked account if twitter’s policy regarding changing one’s account email address doesn’t need any authorization(as simple as clicking one button).
and of course, i already sent a support ticket, but got no reply so far, i need that account back since that account is very important to my friend (the original owner), or at least that account is deleted/deactivated since it posts tweets about porn, and it is ruining my friend reputation.

Thank you very much