Comment 3 for bug 21994

We chose to do this because otherwise, in the default configuration, there would be no way for a user to recover a lost password. Furthermore, you have forgotten that it's possible to boot with init=/bin/sh even if recovery mode were changed the way you described.

To protect against users with physical access, you must use a BIOS password, and possibly a bootloader password as well. We determined that sulogin's behaviour did not offer any meaningful additional security, and was a significant inconvenience in many cases. Note that Debian have taken the same change.