As far as I can tell, the biggest concern is that OpenID makes phishing easier and more valuable. When the same user ID and password open all your accounts, one mistake compromises everything. Let's say clickpass gets huge, and someone forges a malicious clickpass-lookalike widget. They spread it around the net. Any password they steal gets them in to all clickpass-enabled accounts.
The weakness of the above argument: Why would site-owners install an untrusted Clickpass widget spread around the net but not from Clickpass itself?
I can see how some users might fail to recognize a Clickpass or OpenID url and give their login credentials to a fraudulent site, but no worse than password management, OpenID requires folks be on guard against phishing.
