True. But you have to have Remote Desktop and root logon enabled, right? How many people have both enabled? I wouldn’t think most, but I could be wrong. But considering your point I should revise my assessment. It was very bad.
No, part of the whole issue was that it enables the root account even when you had it disabled.