Drupal - Why is settings.php in the web folder?
You are absolutely correct. I know for a fact that many developers/sysadmins do not take the risk that the PHP interpreter might fail at some point, and include the db password (and other sensitive data like API keys) from a file outside the webserver's docroot.
I'm surprised that this is not documented as a best practice anywhere - at least I couldn't find it on drupal.org either. I have no information why it works the way it does.