There are a lot of aspects of a default configuration that could be considered security holes, and what you're describing is certainly one of the more well-known. The key word is
default though, because the system admin can close the hole you describe by modifying the bootloader's config file and mucking around with a few file attributes.
Some have also argued the exploit you describe can be considered kind of moot, because someone attempting to crack your system in that way has to have physical access to the system. If they do have physical access to your box, what's to stop them from just removing your hard drive and putting it in another computer (which would bypass the bootloader altogether)?
- just my $0.02...
<edit>
Instructions for securing Lilo (and more) </edit>