I'll state once again I think headless "out of the box" installs should be enabled.
The convenience factor is huge. Most folks don't have a spare monitor and keyboard easily accessible. These days notebook users may not have a separate monitor or keyboard at all.
The odds of a Pi being booted up exposed to the wild is virtually nil.
Exposure could be mitigated. Limit the initial ssh to the current local network, or just RFC1918 nets. Have a job to halt the system or disable ssh some limited time after initial boot if setup isn't completed.