That is a pretty incredible oversight. Allowing any user id to login with no password is a big deal, but the idea that the root account (and the privileges that accompany that account) is accessible with no password makes it exponentially worse.
One user reported the ability to also access the computer using the root login remotely.
Not exactly definitive. There are procedures to disable remote root access, but I have no idea whether or not Apple configures their OS in that manner as a default. I'm guessing - probably not.
This is old news now, as Apple has already patched the hole with both a macOS update and a stand-alone patch. It is a bit troubling how Apple has experienced several glaring security, usability, and show-stopper bugs in the last few weeks with both macOS and iOS. There needs to definitely be a review of and adjustment to internal testing policies.
That being said, I still prefer macOS and iOS to anything else out there.