Basically, I would NEVER allow remote web management of a device if it's on the internet. I believe the default for DD-WRT is to disable it as well, so you'd have to go in and tell the device that you want to enable this feature. All in all, I think for most users, this issue is a non-issue.
Sure in DD-WRT external web access is disabled by default so it is necessary to enable it manually. But it is a quite convenient thing because DD-WRT provides a Wake-On-Lan functionality and it is possible to turn computers on in the LAN. When I go to work I can leave my home computer off and if I need it, I can turn it on using my router. Now I had to disable external web access until I update firmware to a safe version.
Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984