I preordered the raspberry pi 1 when it launched and I don’t remember SSH ever being enabled be default in their image
I was, I remember it being that way. They later on made it so you would be required to change the password after the first login.
Having it enabled by default is a pretty massive security hole.
Most people are running those in a home network that is isolated either way. Most people even share their entire hard drives on the network with little to no security and you’re telling me a Pi with SSH access enabled by default is a risk? Professional deployments will be done by people who know how to change the passwords, port and use keys. There’s no reason to consider that an issue because of those reasons.