While there is possibly an argument that not configuring a firewall by
default introduces some vulnerability, it is equally valid to argue that
there are no sensible default firewall policies that can be put into
place without a defined threat model.
I suspect that the vast majority of people deploying systems are doing
so behind some sort of device that provides border security to the local
network (e.g., router/firewall/NAT/etc.). So, if the default threat
model is "a relatively trusted network with adequate border security"
then the current default is appropriate.
Those who deploy systems directly to a location where they are in
immediate contact with the public Internet should already understand the
ramifications of that decision and tailor their installation process
accordingly.