Of course a "rogue app" can become root; same as on Ubuntu, Debian or pretty much anything else, after deceiving the sysadmin into installing it. If your sysadmin installs trojans, you're screwed, oddly enough. But a trivial default password has nothing to do with it, because root logins, su, or any other method of directly accessing root is not possible by default; that's why they warn you in case of installing something which permits root login.

But you will note that Navi said "viruses", and you're talking about trojans (AKA rogue apps, I guess). A virus must be run as root, or in an suid-root binary to infect system-wide binaries; you'd then have to distribute those infected binaries to another system where they'd have to be run as root or suid root to spread farther...

A key logger seems not worth worrying about; what would you do with a key logger you couldn't do easier otherwise? (Say, a tweaked version of the input methods, where instead of just going to *s in password fields, also uploads them + some information about the foreground app, and maybe things that look like credit card numbers, too.)