IT will only give password over phone - but is that really more secure than email?

Emails are saved somewhere, whether it be on a mail server or someone's personal computer. Phone calls usually are not, unless it's a customer facing environment.

This policy is common where usernames and passwords are sent via separate channels.

It doesn't matter which channels just as long as it the authentication pairs are split apart and sent via different methods.

This is the accepted best practice because intercepting the right two channels is much harder than watching one channel for the authentication pair to simply pass by.

The reasoning behind this is password changes are not just when you forget a password but when there is suspicion that an account has been compromised. For this reason password changes are done "out of band" to ensure that password updates are not easily captured.

In the world of IT security it is sometimes not about being perfectly secure. It is acceptable to be just hard enough to have attackers go try somewhere else.

Emails may (though as @Luc points out, not always) be sent in plaintext across the internet. That means they may be logged by your email provider, your ISP, your recipient's ISP, your recipient's email provider, or any of the networking equipment in-between. As the sender, you also have no control over who is looking over the shoulder of the person as they open the email.

With a phone call, you have more control over verifying that you are talking to the correct person, they can can refuse to answer if they are in a public place, etc. Plus, while there are no guarantees that it's not being recorded, at least there's a good chance -- unlike email which has 100% chance of being in some database somewhere.