Considering there are websites that get bruteforced into that have a weak root password setup over ssh that is not true. Considering in the past there have been LPE exploits to get root it is relevant that root exists. Even without a LPE if you make a malicous NPM dependency which you have someone install on their server you can make it so that the next time the user issues sudo it steals the root password and runs malware as root. These things are bad for security. If you are not hearing about Linux users being hacked, or exploits that could have had their harm minimized, that is ignorance from you.