hawaii, in general (I agree with you in this context - I'm talking over-all, which is what you seem to be making a claim about), I would say that's starting to not apply. In principle, I still agree with you. However, in practice, better security can mean the difference between somebody bothering to continue trying, and giving up. Up to and including the FBI trying to months and deciding that they can't get in (if you can't find the case I'm talking about, and actually care, feel free to ask for a link).

However, in this case, I side with default config/password - because in this case the SSH really isn't there for security, it's there as a fallback position when you can't boot. As mentioned, if you know how to work with backupmenu, which you'd need to at least partially to figure out how to use the default SSH password/config from option 2, then you can probably figure out in option 1 that you can just back up everything and move the backups elsewhere.

In this case, the SSH really only seems to come in when you're having booting problems. In this case, with the N900 and bootmenu, hawaii is right in so far as security being compromised with physical access. If you can get into bootmenu, if you bother to lookup and understand how bootmenu works, you can probably figure out how to backup and move the backups off device about as easily as you can lookup the default SSH config and how to use it.