[smhenderson]

But the part I'm concerned about is that they seem to think that having password-less sudo is a security win.

I thought they were saying they don't want people's passwords. People reuse them, naive people giving up an actual root password, etc.

Not sure they mean always using NOPASSWORD is good for security.

[LukeShu]

Sure, giving the password to an application is a mess. Because if the application is compromised, the attacker now has the application's sudo password (ie, the vuls user's password, not the root password), and that's a bad deal. But just having it NOPASSWORD wide open is strictly worse. A knee-jerk reaction is to avoid passwords because it's another attack surface that can be broken open, but in this case just getting rid of it is strictly worse. With SSH, disabling password auth is turning the locked door into a solid brick wall. With this, NOPASSWORD is taking the door off the hinges because you are afraid of someone picking it.