RPF is most of the answer
Isn't it?
Security watchers have warned about a new class of DDoS amplification attack threat which only exists because too many users are failing to follow basic safeguards. Improperly configured services such as DNS or Network Time Protocol (NTP) have been exploited to launch a string of DDoS attacks over the last couple of years, the …
It is part of the answer. The other is that portmap is mainly required for NFS and NFS is not needed on most systems and in the case where it is needed, there is a lot of manual configuration needed anyhow so there is no reason to install portmap or NFS by default.
I really don't understand why so many Linux distros install it even in a barebones install.
-- I really don't understand why so many Linux distros install it [...] --
Probably the same reason a "server" install (on a headless machine) of some mainstream distros includes a metric buttload of video-card drivers and other media-munging cruft. Either they can't be arsed to figure out what is useful or
"I once left Hercules support off the install disk I made for my Gran, and caught hell"
"Does your Gran run a rack full of headless Xeon servers?"
"No, but she _MIGHT_!"