As annoying as that is ("But I want increased security noooooow!"), this waiting period actually makes sense. If someone had hacked into my iCloud account, changing my password would probably be one of the first things the jerk would do. This waiting period would give me three days to notice my password has been changed before the hacker could also enable two-factor authentication to lock me out even further. When I requested two-factor authentication in iCloud, Apple also emailed all the associated email addresses on that account, with instructions for notifying Apple Support if the requestor wasn't really me. When the waiting period is over, I'll get another email letting me complete the setup.
Until passwords finally die, two-factor authentication is one of the best tools we have against hackers sneaking their way into our accounts. Be sure to use it.
Sign up for CIO Asia eNewsletters.