I noticed mascot's comment about tttt now 'forging' other people's accounts. It is pretty clear that Advogato is not meant to be the most securely designed site on the Web, but instead a test of a concept of raph's.
The real question is, is this particular 'hole' easily fixed in an environment that is not meant to be secure? Looking (very briefly) it seems a bit of adjustment might be all that is needed, but it really matters how the Advogato system handles cookie information, and login information during the /acct/certify.html page generation.
And of course, a brute force attack could always be one way to get into an account. However, a brute force attack can be countered various ways, so that would be of only limited access potential.
All in all, most people probably don't feel like there is so much here that needs protecting but it is strange when you lose your innocence how what seems not important suddenly becomes so.