If they had used 'unlock-at-boot'/true-crypt style disk encryption and kept the password/key off the machine they would have been safe from this attack. (They would also have to provide the password/key every restart.) It is only in hindsight that something like this seems worth implementing!
Your more general solutions would protect from an attack that rooted a live system rather than just resetting the root password while the machine was offline.
Your more general solutions would protect from an attack that rooted a live system rather than just resetting the root password while the machine was offline.