Not much worse. Problem is, a telnet login is going to give you a shell prompt. Getting shell access is more than half the battle to any hacker, because there are so many programs out there that are vulnerable to local exploits. Sites that may be pretty proactive on processes that listen on sockets are often less proactive about many local programs. This is really not a good idea, as most hacking is done by insiders, but it is more common than you might think.
What sort of shell prompt do you get with telnet:bbsmates.com or any of the other telnet-BBSs out there? I would think that while such sites aren't a lot better than non-https: password-protected sites, they at least divvy the password among different packets in such a way that one can't simply look for packets containing a string like "&password=foobar".
BTW, as an experiment, I managed to program a stateless telnet server on a DSP. It doesn't do much (it echoes back what's sent to it, with a few character translations that show what other processing the DSP is doing) but what's interesting about it is that the DSP neither knows nor cares how many devices are connected to it. Ever seen anything like that?