My roommate got his account stolen recently, so I started doing some reading about the situation. I vaguely remember there being the same kind of issues with the last iteration of FIFA, but I don't remember it being this bad.
Honestly, I'm surprised that there seems to be almost no action by Microsoft to help us combat this. Not even any kind of added security measure. Considering we pay money for this service (at least you guys do) you'd think that added security would be standard. Just a few security checks when having accounts recovered would be nice. But instead they claim that there is nothing they could do to prevent stolen accounts. This is probably true, but requiring someone to verify billing info when recovering an account would at least save users quite a bit of money (just wipe out the billing information tied to the account if they get the info wrong).
As for support's job with the investigations, I can't really attest to that. My roommate changed his password and then recovered his account, which forced the thief off his profile. Because of that he never bother calling support to open an investigation.