Hi internals, i'm -1 on the CSRF in the sessions at all. Even more -1 on having it on by default and having any INI settings that affect how engine processes data in runtime. People just don't learn until they shotgun themselves I guess.
What I personally would be for, is a CSRF aPI module that comes as default, like the Password API one, that gives ability to generate good quality CSRF tokens and manage it.