Defaulting to the root directory is actually an error behaviour (because the home directory could not be found). If for some reason you really want the home directory to be root (!), then don't leave the entry blank, make it '/'.
The security configurations for login and su are not necessarily the same. They used to be in /etc/login.defs (a relevant flag would be DEFAULT_HOME). Now that authentication is done by pam, they have separate configurations in /etc/pam.d/login and /etc/pam.d/su, or else in separate entries in /etc/pam.conf.