Not enabling SSH any more by default is now called a 'security update' since even RPi foundation got it that pre-defined users/passwords are a really bad thing: https://www.raspberrypi.org/blog/a-security-update-for-raspbian-pixel/   But instead of doing it correctly (forcing the user to change the password on 1st login or even create an own sudo enabled user) they chose to make it harder to set a new RPi up (I'm glad I did the first step with my RPi 3 since without knowing the /boot/s