Open Source hardening, by default

(I tried to search if I have written about this earlier but was not able to find any reference. So here it goes..)

Microsoft has already a long time ago done progress in server hardening where only necessary components/settings are enabled to allow minimal service operation, like html-only web pages in IIS. If you want something nicer, you need to actually enable those settings, e.g. active server pages.

I'm just wondering why all the bells and whistles are usually enabled by default in open source stuff. Is it to get developers fast on track with the system, for them to be able to create things without much consideration to the configuration, except maybe performance related settings at some point?

I'd really like to see open source tools and projects, e.g. OpenSSH, Apache, Linux distros, Solaris, PHP and so on take on a different approach with the stuff they offer. For example OpenSSH, why have "PermitRootLogin yes" by default if the best practice is to disallow direct root login to ensure accountability and at the same time mitigate brute force attacks against root? Or how to automatically chroot a daemon where it makes sense, e.g. MySQL? Minimum required modules and configuration to run Apache with PHP and MySQL? Or how about network stack hardening, is there need to have ICMP redirects enabled in most environments?

There would be lots of security related improvements to be made, which should be default and not something you need to tweak to get into this state. Of course there should also be configuration examples available for most stuff, in form of FAQ examples: "minimum Z to get X work with Y, enable A to get B working" and so on.

Or am I just being silly for hoping this?