Very recently I recovered a root password for a Debian server by booting into single user mode. This resulted in me having access to a shell with root privileges (prompt said "root@none") Now this has left me wondering why a potential intruder can't just reboot a system and use the same process to reset the root password and infiltrate your treasure trove?!
See (https://serverfault.com/questions/482079/debian-boot-to-single-user-mode)
Best Answer
Several reasons: one, you have to have physical access to the servers, and most employees don't want to lose their jobs by getting caught on CCTV video breaking into systems. Then, you have some companies that implement BIOS / boot passwords or boot loader passwords. Sometimes, the "single user" option requires a password (if set up properly ahead of time), other times it simply isn't available.
Ultimately, though, you're correct - this is a very exploitable attack vector.