Re: the system packages for most distros are totally open by default.
"t's the reason why some distros are so keen on using sudo rather than encouraging a root login"
a fair compromise, if the 'sudoer' user's password isn't super-short/easily-guessed
And disallowing ALL root logins for sshd (or any OTHER remote access) should be THE DEFAULT, but isn't always. [it's easy, just one line in sshd_config]