Just realized that our client follows the policy of not allowing root ssh login for security reasons. it does make sense for quick security dev box. ButI would be surprised if they follow only that for the production box. But for all i know, they might be.
(I was talking about it in the context of this: http://serverfault.com/questions/244614/is-it-normal-to-get-hundreds-of-break-in-attempts-per-day)
After all, Security by Obscurity, is good enough in certain narrow conditions, if you want to stop DDOS attacks via a open ssl port.