I am also trying to tackle the problem of user being able to run "sudo su" without being asked for a password. I have removed the line "user ALL = NOPASSWD: ALL" and have tried adding the line "user ALL = PASSWD: /bin/su" to the list without success. removing only the "... NOPASSWD: ALL" line worked too well and does not permit anything besides the exceptions listed in the sudoers file. Adding the line "... PASSWD: /bin/su" allows user to run "sudo su" but does not ask for the password which defeats the purpose of my endeavour.

On a side note.. there is no need to mess with bootmenu.sh and rebooting the n900 at all. this can all be done by editing the correct files in /etc/sudoers.d/ and running the command update-sudoers.
testing modifications to /etc/sudoers is most efficiently done by logging into the n900 as root and editing the sudoers file while running a 2nd ssh session as user and testing commands. its much easier to make corrections that way.

EDIT: adding "user ALL = PASSWD: ALL" seems to have worked. Also, in retrospect, "user ALL = PASSWD: /bin/su" seems to have worked aswell. the reason for this is that sudo remembers for quite some time that a user used sudo (in this case remembers the last successful sudo test) and does not ask for the password during this time.
"sudo -k" effectively invalidates the timestamp which lets you test these things.