"It requires physical access so it's not a vulnerability."
To be fair it's not necessarily the worst problem you could have if someone has physical access. But if it's also available remotely as commentards have reported it goes to the top of the class.
Moral - always set a root password - and remember it.