Here is something funny I heard (probably on the TWIT podcast). If you don't have two factor authentication on your Apple account and somebody gets hold of your iDevice which has associated email setup on it - you are essentially screwed.
The pin, like with Steam as an example. Would help in the instance where your steam password and e-mail password were different, but someone got into your steam account using it's password. Then they could just change the associated account e-mail address and password to the steam account. If you have the PIN enabled, it'll stop that, and hopefully the user doesn't have the same password for both services.