Because, to login from outside you will need to guess a valid username
and the corresponding password. After that the root password will have
to be guessed locally which would leave a fat trace in the logs. In
addition, most of the bots around try to guess the root password and do
not spend a lot of time for normal accounts.
Now, if you always have strong password, this should not matter. But
there is still the risk that your password looks like an obsfucated and
misspelled version of a foreign word which you have no clue about but a
lucky bot operator will try. You could also have you password leaked for
a stupid reason. In which case requiring a su/sudo will put a name on
the perpetrator...
It is just my opinion on it but I hope it helps.