The username/password key’s major disadvantage is that it open all the doors to the house. The OAuth key only opens a couple doors; the scope of the credentials is limited. That’s a benefit, to be sure, but in Twitter’s case, a malicious application that registered for OAuth with both read and write privileges can do most evil things a user might be worried about.
Sign in with 
OpenID
Alex implies that this is only "in Twitter's case". But a remote app doing "most evil things" is something that could happen to any web app that grants full read-write access. OAuth can't save us from that and it's not meant to, but it can help mitigate the issue.
When registering an OAuth application, Twitter could give users the choice of granting the app read-only access, or some other subset of full access. That would make a big difference to the scope of potential exploits.
Using OAuth it's obviously easier to cut access to a rogue app. But if the right audit trails are kept it may also be easier to undo the damage because the bad app has made changes using distinct credentials, rather than a shared user/pass combo.
It would also mean the baddies don't have user passwords which will, in many many cases, be reused.
That's a really interesting point - I hadn't thought about the possibility of using an audit trail to revert damage caused by a rogue application. "Delete all tweets added by application X" is a really good idea.
I read this this morning and found it rather quite baffling. Twitter's succes is in part due to third party applications adding value to their platform. So yes, it might be nice if Twitter had a safer way to let third party applications access people's accounts.
And yes evil things can still happen. If they have a solution for that, let them please share it. I for one would not mind both having my cake and eating it. But doing nothing -like they have been for the past year- and vague promises surely are not an option.