Does broken site functionality pose any security threat?

Broken functionalities in a web application are not a security threat per se, but they might be one. For you as a penetration tester, look out for:

• Information leakage about the system (stacktraces, version numbers, error messages, file paths, ...) as they might help an attacker
• Missing security features (if the functionality to change the password is broken, then you should include this in your report)
• System crashes (DoS)
• And generally any unexpected behaviour.

As each and every line of code (and therefore each feature, whether working or not) increases the attack surface of the application, the client should avoid to deploy (partly) broken features to their servers.

If the application lacks requirements, for example: there should have been a password reset option, then best you can do is report this to your client, but this certainly is not your work.

When the application meets the requirements for this stage, and is production ready, then anything you find is a vulnerability and should be patched before release.

If you are helping out with vulnerability analysis in the early development stages (development branches) you should intervene as soon as possible to prevent further development on top of a weakened base.