Oh dear...
Maybe authenticating via google/fb/oauth/MS token wasn't such a bad idea. At least they have some people who can think in terms of security (not saying they're perfect, but I suspect they are better than your random startup)
Security researcher Scott Helme has turned up a dumb password reset bug in UK energy company Ecotricity's car charging app. The bug is in the app the company provides for users of its network of 'leccy car recharge points: it had a bad user enumeration bug that would let an attacker reset someone else's password and therefore …
Depends all on whether the authentication/authorization standard they support has been implemented correctly...
Microsoft themselves made a big boo-boo when they implemented SAML support which led to someone being able to gain access to other people's Office 365 accounts. See http://www.economyofmechanism.com/office365-authbypass.html. There've been others...
But you're right... it would be nice if everyone implemented security correctly (and stopped using their own homegrown security API). Standards were defined and implemented for this very reason. :-)