Inhibiting or denying the ability to update a username
For the most part, this isn’t so much a security fail as it is a matter of identity, at least in my experience, but I don’t doubt there are some security issues with setting a username in stone. The names we choose for ourselves online may eventually become incompatible with who we are later down the line. The reasons for such may be anything from getting older to realising a terrible choice or ultimately realising that you’re just not the person you’ve been trying to be for way too long (Oh, hello. You too, huh?). So understandably, you don’t want to be known or even seen with that crappy old username you probably pulled out of a hat or thought was sooooo edgy and awesome a decade ago, right.
Unfortunately, some site developers believe otherwise. Some sites believe that we’re all so immutable that even our own usernames shouldn’t change. So you wind up stuck with this constant reminder of who you were or tried to be one time. With some services, such as Steam, you’re fortunate enough that this username does not in any way form part of your public profile, but it’s there on the login window, that one little gremlin who has overstayed their welcome, not that they’re even remotely willing to understand that.
Other services, however, commit the far more heinous crime of making your username public. It’s the name that appears on your profile or on your chat windows whenever you post a message, whether you like it or not. There are no options to provide an alias that displays in its stead. You’re essentially branded for the life of that account.
Again, there are some services that do offer to change your username by emailing customer support. But then you have to ask why they don’t just implement the ability to change it directly and spare their staff what is, quite frankly, an unnecessary extra workload.