In my policy addon I monkey-patched Products.CMFPlone.browser.login.password_reset.PasswordResetView._reset_password
In my replacement function, after password reset I redirect to a simple logout view.
Automatic logout is required for my use case: I use a separate Plone instance to reset LDAP passwords, because the main web site does not have write access to the LDAP server.
Still, by design it seems that Plone should be logging off the user after a password reset.
I get your point, but why there's an option that doesn't work? Look at the code; the intention is to auto-logon only if the option is checked (it is checked by default). It looks like a bug to me; maybe it was never detected because most site admins don't uncheck the option.