IMO, it should be off by default on all httpd versions, just as the config should default to no access. Personally, I would prefer that all of the defaults be set internal to the server such that a running httpd with an empty status file would only be capable of responding successfully to "/" with a simple "You need to configure the server now." Everything else should be a 403 or 404 until it is explicitly configured.
+1 on patch.
....Roy
