It's obviously bad, but mistakes happen. We're in a thread about meta, one of the largest tech companies in the world, making this exact mistake with millions of accounts.
I mean this sounds like a "you'll never have a bug if you just program well" argument.
Whoever created the login system probably is a different person than who added the logging system. Perhaps the logging system should've discarded login attempts or masked the credentials but there's probably a dozen ways to login and they'd need to know all of them and possible futurely added ones.
It seems a bit more practical to have the system send a safer version of a parameter to the server instead.
There is no advantage if you use proper security practices like storing a hash and salt.