"An alternative would be to have the X server run as a system user that lives in a specific group with access to the input devices, but that has flaws of its own. An exploit against the server would potentially give an attacker a means to access all users that are logged into X sessions, so a malicious local user or some remote exploit of a vulnerable X program might be able to affect all users of the system."
Well OK, but isn't that also the case for the usual X server running as root?
So, while running X with a dedicated user/group is not perfect, it seems like an improvement in that it makes gaining root privs. more difficult. Why must this be an all or nothing affair? Switching to a dedicated user/group would be a nice step in the right direction and doesn't make things any worse, so distros should take it, even while they continue trying to figure out a better way.