I think that the main issue is the client must send what is essentially the plaintext password on every request, meaning the client also must store the password. It might be short-lived, might not, but is a security risk to keep the password around on the client side for the duration of the session.
I like to use Basic Auth for API's with clientid/secret pairs. So it's not the user password and individual credentials can be revoked while it's much simpler to implement than full OAuth
If I'm not mistaken Twilio does this too for their API
