You're right. That service is turned off by default on a standard OS X installation. And most users will be behind a router and/or have the firewall turned on. This is an example of a setup destined to fail (almost like he wanted the publicity, huh?)
TUAW has a pretty good wrap up of this:
http://www.tuaw.com/2006/03/07/another-look-at-mac-os-x-security/
I'm sitting here listening TMV talk about the Mac OSX "hack" and am a bit disappointed that they are repeating the same incomplete hype that the rest of the media are spreading.
The really big, huge, important, critical thing that *EVERYONE* has left out is that the competitors were given SSH access to the box as a start. So this was, in essence, a local exploit. So comparing a 30 minute hack of an OSX machine when local access is already available to a Windows machine being hacked when no local access is granted is just plain irresponsible.
I encourage folks to find out more about the competition before spreading more misinformation about this.

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic