It is very useful for attendees (not just hosts) to be able to encode both the meeting ID and the passcode into a URL. This allows things like creating shortcuts to attend repeating meetings.
If the user already has both the meeting ID and the passcode then they already have ALL elements - putting them together into a single string is NOT a security risk.
Currently the link has a ?pwd=. My suggestion is to ALSO allow a ?passcode= variable in the URL.
Again, this is NOT a security risk. The person already already has both the meeting ID and the passcode so they have MORE than the person who has a link with the hashcode and so allowing them to enter without keeping track of a separate passcode makes life easier but does NOT cause any security risk.
If you are concerned about brute force attacks, simply limit the frequency of attempts from a given IP to 1 every 60 seconds…