Do you prefer that or everything (or most/many services) being enabled by default? It's a good practice and, for me, very practical - I don't need to find everything I'm not using and disable it.
But trumpeting your default install's safety record doesn't actually say much when the default install doesn't actually do anything. As soon as you add a package or a port you're beyond "default install" territory and their vaunted security reputation's coverage.