@Peter Gathercole
"By allowing sysadmins to peek at other user's passwords, it enables them to do things as other users while bypassing any audit trail that points back to *THEM*, and leaving a false trail pointing at someone else."
Yes, this is indeed the problem.
"Key loggers and password leaking backdoors should not be able to be installed without again leaving some evidence of the fact."
Idealism, meet reality. You need to think more like a programmer/hacker. If you had a CS background, you'd realize that any application level security can be defeated, even if it doesn't have any bugs.
Here are some ways which could work without leaving a valid security audit trail.
1) Install a hardware key, or hacked keyboard, or even just a wireless keyboard.
2) Install a rogue bios.
3) Run the desktop and/or server in a VM, or on spare hardware such that security audits are never really logged in the right place during the event.
4) Install trojan software under a user's account such that malicious activities really do occur under their name. This could be accomplished by sending a susceptible user a malicious email (custom malware will not match existing antivirus signatures).
5) Use a known or unknown vulnerability in the OS or application to escalate privileges in a way which cannot be traced to the sysadmin.
6) Destroy any evidence and fabricate the logs
7) Extract the user credentials from a legitimate location such as the windows command scheduler, or temporarily change the executable/batch file being executed so that it actually runs from the context of another user's account.
8) Hop onto another user's account which was left unlocked.
9) Send themselves a trojan which appears to be from the outside or another user.
Many of you may not like it, but a motivated rogue sysadmin can always defeat all the protections which they are hired to keep in place. And with enough care, they can do so without leaving an audit trail pointing to themselves.
"As SarBox is mandatory for US financial organisations, does this mean that it should be recommended that SQL Server should now be added to the banned software list, or at least relegated to non-customer and non-financial database use?"
Nope. As pointed out by others, this is a configuration decision and NT authentication is still available. Just because software can be configured insecurity doesn't mean it needs to be banned. By that criteria, I doubt that any software would pass.