Apple's guidance not quite correct - do not disable the root user!
Apple's guidance isn't quite correct. They say "you should disable the root user after completing your task". However, if you set a root password, then disable the root user, it resets the password back to blank and reintroduces the vulnerability.
You need to set a root password, then make sure you leave the root account enabled. Only then do you defeat the vulnerability.