But the new defaults really _is_ best practice. Denying that is like denying that ssh is better than telnet.
Asserting that over and over doesn't make it true. Your argument seems to be that "With this change, people can at least ensure that their user run service doesn't DoS the server unintentionally." Which this change doesn't even do.