The basic reason is this: it makes sense.
Let's suppose Debian installs a basic firewall by default. How
basic? Let's say:
- outbound: permit
- forward: deny
- inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
response to an outbound packet
Now, what should happen when a user installs an SSH daemon?
Should it automatically change the firewall? Of course,
otherwise everyone who installs SSH would discover that it
doesn't work.
How many packages now have to have scripts written to update the
firewall?
What happens when a user installs a multi-protocol daemon like
Dovecot? Does it automatically open POP, POP/S, IMAP and IMAP/S?
All of them? None of them?
There are an infinite number of questions to be asked, all of
which can be summarized as "please read the user's mind and find
out what they want". This is particularly difficult when the
user doesn't know what they want.
Remember, Debian isn't a laptop OS. Debian isn't a desktop OS.
Debian isn't a phone OS. Debian isn't a server OS. Debian isn't
a supercomputing OS. Debian isn't an embedded device OS.
Debian is a Universal OS.