[ahje]

In most cases, yes. Most shared hosting providers will execute all PHP files as a default, although it's quite doable to block access using rewrite rules or custom access controls.

Problem is that the majority of WordPress users lack the know-how to do it on their own, as well as the will to pay for someone else to do it for them.

Web hosts aren't interested because supporting it would be a nightmare due to the millions of possible plugin/theme combinations.