This is not a security issue. The default PAM stack is *deliberately* organized such that each module is tried in turn and any one succeeding authentication module is treated as a success for the whole stack.
If this is not the site policy you want, then you should use pam-auth-update to change which profiles are enabled. But the setup you describe is *not* the common case and is not what will be shipped by default in Ubuntu.
This is not a security issue. The default PAM stack is *deliberately* organized such that each module is tried in turn and any one succeeding authentication module is treated as a success for the whole stack.
If this is not the site policy you want, then you should use pam-auth-update to change which profiles are enabled. But the setup you describe is *not* the common case and is not what will be shipped by default in Ubuntu.