WordPress’s decision to shut off remote access by default is analogous to a bank offering unrestricted drive-through access to its cash machines, while requiring pedestrians to ring a bell and wait for a security guard to open the door to the machines.
Also worth noting, Mark Jaquith’s response:
This is the same principle as with a firewall. Shutter the doors and windows that you aren’t using. I agree that it’s not a fundamental security improvement for XML-RPC/APP, it’s just an easy way to cut in half the exposure of the many blogs whose authors don’t use these protocols.