> The mentioned installation could have used a standard text user-
> /passwordfile.

Or, a standard db(3) file, even.

As for thumbprints,

Question 1:  How will PAM allow login(1) to use biometrics, say a 
             retinal scanner, as part of authentication, by changing 
             code in only one place?

Now that you've answered Question 1, let's move on.

Question 2:  How will changing code in this one spot allow the retinal 
             scanner to automatically work with POP3?  How about netatalk?

Question 3:  Okay, maybe I was being overly-ambitious.  But, at least you 
             got the retinal scanner working with login(1), thanks to PAM.  
             Now, how about, when login(1) is invoked by telnetd instead 
             of getty?

Like I said, PAM solves an ill-posed problem, and is therefore a 
fundamentally broken architecture.