It sounds like you understand how it all works, except maybe how the man in the middle attack works in a security image situation*. Actually, I think you get that too, since you had the idea of pulling the image from the browser plug-in.
I don't have a pat answer on the ability of the LostPass hack to populate the email address if that option is checked. Off the top of my head, I'm not sure how they'd know the email address, so yet another head scratcher beyond seeing a login box that you didn't ask for. I didn't see that written-up as a weakness in the LostPass attack, but sounds like it is.
+1 I wonder why they haven't done this. If the image is local, I can't see how it could be presented from javascript on a page, which is the way this phishing attack works.
* The typical man-in-the middle attack with a security image goes like this: The user thinks they're talking to the real web site, but are talking to the bad-guy and goes to the login page (fake login page), where the user enters the userid (not password, yet) (or some javascript on the page sends a cookie). The bad guy reads and immediately sends the same request to the real server. The real server sees exactly what it would have seen in a legit logon, dutifully presents the security image to bad guy, who then presents it to the user, who thinks everything is legit, and then supplies the bad-guy with the password.