I realize this is a very old thread but, from what I can tell, its still the normal behavior with Debian and I had an idea.
As discussed the `--force` option is not very secure. Instead, why not change the `systemd` scripts to open a shell as a regular user who has login and `sudo` as `root` privileges? Like a system admin maybe. That way they can login with their ID and then use `sudo` to become root -- which would require their password again. This seems like a far better and more secure option then currently prescribed which is either to use `--force` or to not lock the `root` account. Thank you! *_Nacho*