This is exactly how it works. If a thief knows the passcode (be it numerical or more complex), he can change your iCloud Account password without knowing the current password and disable Find My without.

Apple acknowledges this and seem to be ok with it [1].

[https://www.macrumors.com/2023/04/19/apple-responds-to-iphon...]