What you say could be true, but then the problem would also arise if two users register at the same time.
Furthermore, on social media which has millions and millions of users registered, changing the account name does not seem to be a problem. Sure, you could say that they have teams of developers who work to avoid critical issues, but I think in the end the danger is less than you think.
But let’s suppose that it exists anyway and that for this reason the username change is prevented, why is this also prevented for the site administrator? A scale of privileges could be established for this possibility. Or in any case, the administrator should be given the power to decide whether it is possible or not.
Now someone here might tell me: sure, but there are plugins that do it. It’s not a core problem.
Okay. Gotcha! 
You win, you who put me in a corner by putting on the table the plugin that saves the situation. However, the security problem that I mentioned remains: let’s assume that the username cannot be changed and that the reason is the one you illustrated (or someone else that I don’t know), why use the username in the slug of the link that points to the user page ? It is a username for login, and CP provides nickname and display name. Why use the username that should instead remain secret?
In my opinion, core developers should consider this possibility of modification: the username remains unchangeable. Okay. But at least let’s make sure it’s not public. However, this is not the case. Do you agree?