Re: the system packages for most distros are totally open by default.
But sudo caters for allowing users just the elevated access they need, not to sudo to a root shell.
I was a Unix admin for many years and would never allow someone sudo to ALL unless it were me, and always require a password (which has a minimum length and complexity of course). If you're the admin of a Linux server, you generally know how these things work and don't break the golden rule of allowing people access to things they don't need.
The default sshd_config is to not allow root logins. Sometimes you do need to login as root, though, and in that case disallow password logins entirely and use a key pair. When I have sshd running and my IP address is external, logs generally show thousands of attempts (mostly from China, Korea and eastern Europe) of a root login. Even though they fail it's pretty scary how many automated hackers there are and it only takes one careless admin to allow them opportunity.
Man page for sshd_config is here https://linux.die.net/man/5/sshd_config and states the defaults, which are pretty secure. I'd still remove password logins on all accounts and edit the hosts.allow and hosts.deny files.