[aftbit]

I think this might be a newer problem than 1996 actually. I have seen an awful lot of "modern" (2010s at least) devops which runs everything as root because the developer could not be bothered to understand the unix permissions model. I would guess that focus on security is something that waxes and wanes, rather than something that monotonically becomes more important in the culture.

[Nextgrid]

To be fair, if the only thing that the server runs is the application then root or the application’s normal user doesn’t really matter much.

[LammyL]

It should because if you can exploit the root user, it is much easier to use that machine as a lunching point for a secondary attack. Further, root will let you cover your tracks much more easily than an unprivileged user.