As bad as it sounds, NetworkManager is probably doing almost the right thing. There is no way to safely encrypt a password so that it may be used for access to another system without requiring another password.The only thing that you can do is use the permission structure of the OS to protect the password. (As they have done)
Now, they could have "scrambled" or encrypted the password with a known key. That will prevent the slim chance that a "casual" intruder with root access will get your password, however, any moderately intent intruder who can gain root access will, by design, be able to reverse the password mutation. You can't MD5 or SHA the passwords because you *need* them to gain access to the external system.
I had this fight at a company a while back about accessing Windows servers and storing their credentials, I ended up base64 the creds into a database row or an encrypted database. You needed a password to open the database, so they were safe, but management didn't want to be able to "see" the password once they did. It wasn't real security, but it shut them up.
NetworkManager needs to do something similarly stupid so that stupid people don't say stupid things about a stupid problem. If you can't trust your computer to store your password, then don't trust your computer to store your password. duh!