First thing any decent "cracker" will do after gaining access is change the root/admin password. I'd set a BIOS boot password only, as that's the only one that can't be changed remotely. Otherwise you might end up getting locked out of your own box.
I don't think it's a "hole" either BTW. Quite the contrary, it might just save your arse in a pinch. Think about being locked out of your mission-critical production box and not having a recent or good backup to restore from! That "hole" might just save the whole business.
