The main objection is that the random password is sent unencrypted, but that doesn't really matter as the token based url is also just as accessible using the email. If someone has access to the email account, it doesn't really matter whether there resides a token based url or a plain text password, both can be accessed.
Having expiration goes for both of course.
Why is token based better than sending a plain text new password with an expiration, forcing the user to create a new password? Best practices and why?
From a non-technical perspective I would say convenience. A link is a click or a tap that would open a new window and walk me through the reset process. A password-in-email I would have to highlight it, copy it, open (or move to) another window/tab, then paste it then go through the "change password" process.
A link is a much smoother user experience.