better handling of non-activated accounts

I feel this is better implemented as a "usercleaner" module which implements hook_cron.

I think that's really two separate issues. There's a "dummy user", who creates an account but never uses it, and there's a "legacy user", who hasn't used his account for X amount of time. The latter is definitely a contrib module. The former I can see as a core function of the user module, possibly. Perhaps an account doesn't become "Active" until it's used once, so an account has 3 statuses: Pending, Active, and Banned?

i believe the current schema supports both functions.

in a cron hook, you could just delete all users from the users table where login = 0 and created is earlier than 3 days ago

and/or delete all users from the users table where access is earlier than 6 months ago.

Deleting a user deletes all content that user created. DO NOT delete a user unless you want all associated data removed. I'd rather just set them to banned if they've just not logged in for a while. That way, they can reactivate later and get their old data back, too.

(Deleting never-used users is probably OK, but I'd still recommend against that if the function is in core.)

Focus on the issue, please. In the user registration mail, you get a one time URL. Later, it's pretty tedious to do the site ask for a reminder mail... so, after 24 hrs if the user have not clicked on the mail, it's better to delete the user.

A side issue which is related to this one: spammers like to create account just so they can write whatever they want in their profile (assuming profile.module is on, with some fields to be filled during the registration process). Often, the spammers use fake emails, so the registration process is never completed, but the user account sits there, with the spamming info/links, unused.
What's worse, an unconfirmed account is still accessible by an anonymous user like google, which is enough of an incentive for the spammers to register with a fake email (the spammers themselves can guess the latest user ID and link to user/ID from another site, so the account is indexed.

Currently, a user account has only two states: Active / Blocked.
We could add two more states: unconfirmed and Admin (see issue: http://drupal.org/node/1597 ).
A user account created by an admin is set as Active.
A user creating an account has a set period of time (configurable) to activate the account, and until this is done, the account page is set as 404 (as far as the world should be concerned, the user doesn't exist yet).
Non-activated accounts are deleted by cron after the deadline (no content yet).

Question: the two states Active / Blocked are currently hard-coded, no? Is there anything configurable about it? how is this information usually accessed? $user->status ?

has been partially solved by making sure only admin can access blocked users accnt.
deleting users is never a good idea....i am just gonna put this on fixed