Currently, Virtualmin installation file leaves securing the MySQL/MariaDB to the end-users automatically setting them up with test databases, anonymous user and without root password. Unfortunately, not everybody removes those test databases, deletes anonymous user and sets up the root password. In fact, most of the users have impression Virtualmin is secure and start using their system just after running Virtualmin installation file as is. Which in fact represents huge security issue.
You can read about securing the Initial MySQL Accounts on http://dba.stackexchange.com/questions/13361/mysql-why-are-there-test-en..., which in its turn references https://dev.mysql.com/doc/mysql-security-excerpt/5.1/en/default-privileg...
I'd like to quote the most important part of why Virtualmin setup file needs to run mysql_secure_installation:
On Unix, MySQL comes with a mysql_secure_installation script that can perform several helpful security-related operations on your installation. The script has the following capabilities:
Set a password for the root accounts
Remove any remotely accessible root accounts.
Remove the anonymous user accounts. This improves security because it prevents the possibility of anyone connecting to the MySQL server as root from a remote host. The results is that anyone who wants to connect as root must first be able to log in on the server host, which provides an additional barrier against attack.
Remove the test database (If you remove the anonymous accounts, you might also want to remove the test database to which they have access).
So please make Virtualmin installation file take care of this important step to secure the database and thus save lot's of Virtualmin users from security breaches.