To be honest? It’s a little bit hard to say…
This behavior was introduced in 3.9.2 (which is security release). Here’s the bug in Trac: 29060: Don’t pass around the resetpass key, but there isn’t much info on why was it introduced in the bug report.
Is it for security reasons? Most probably. But does it really make the process more secure? It’s a little bit hard to say…
Both GET params and Cookies are sent in every request – so attacker still can intercept them. It just makes such attempts a little bit harder (since you have to get pass_key and it’s hashed value).