Seriously, anyone who disagrees with that ends up with even bigger problems, like getting hit by ransomware. You, not some developer or Linus Torvalds or anyone else, are responsible for your client and your data. If you put your server on the internet without securing it properly, you deserve to get owned. Your negligence ends up hurting other people.
Is that so hard to understand? You have to take security seriously. My point is that a firewall is the bare minimum you should be thinking about when setting up your server.
The issue is when people don't realize that CUPS is installed either because it happened by default or was accidentally brought in through some other transitive dependency. Ubuntu is especially vulnerable to dependency smuggling like that because recommended packages are installed by default.
Don't blame or anger at people for not knowing their stacks entirely. There's so much to keep track of that it's totally understandable that something like this can fall through the cracks.
That's the point - you don't need to know your stack. You don't need to worry if CUPS is installed, enabled, or listening on your interface. You don't need any of that, as long as you do the bare minimum and configure your firewall.
Is that so hard to understand? You have to take security seriously. My point is that a firewall is the bare minimum you should be thinking about when setting up your server.