This question is sorta similar to "Why don't distros enable restrictive MAC policies by default"

Maintainers _could_ take the time to lock down sshd and limit the damage it can do if exploited, but there are costs associated with that:

  1. Upfront development cost
  2. Maintenance cost from handling bug reports (lots of edge cases for users)
  3. Maintenance cost from keeping this aligned with upstream changes

You could extend this argument and say that distros shouldn't bother with _any_ security features, but part of the job of a distro maintainer is to strike a balance here, and similar to SELinux / AppArmor / whatever, most mainstream desktop distro maintainers probably don't think the juice is worth the squeeze.