Doesn’t Ubuntu disable the root user out of the box and expect these actions to be performed via sudo/polkit. There is clearly a precedent for not needing a root password and being able to use your own user’s password for these kinds of things. So it is a monumentally stupid idea to require the system-wide root password, but not one that is done by all of linux, and seems to be a decision made by your distro to not use the modern solution.

The fact is though, you’re right and the pain point is that distros are still doing things the silly way.

• Distros should be using sudo/polkit/anything other than root user password to do things like this
• Modifications to the sudoers file should be easier
• The distro setup process should just be able to have some prompts about smart default things (“Passwordless updates?”) even if they include strongly discouraging comments.

If I can sudo apt install without requiring a password, I could generate a package that installs a custom sudoers config file that allows me to do anything, so “passwordless sudo, but just for apt” is potentially easily exploitable to gain full access. But that also still assumes A) you care and B) someone has access to your account anyway (at which point you may already have bigger problems)