That's true for a Linux host, not for Windows. Check this out.
A user connects to the server through FTP and uploads a whole bunch of files. These files will be the PHPFusion site.
Important: The FTP user
is the owner of the uploaded files.
Second: Files uploaded through the portal and all the PHP scripts will be executed by another user - the web server's user - usually
apache.
Conclusion: CHMODded to 644, config.php can't be altered by a web script.
A user connects to the server, uploads the files through FTP and all the rights are set to full rights for everyone "so you can edit anything on your account". (what a lame excuse...) :(
Fact: The FTP user is the owner of the files.
Second fact: In that "full rights to everyone" configuration, all the scripts can alter files on the server unless the admin does something about it.
Conclusion: If the files are not manually set to read-only, their CHMOD equivalent is 777, which is
BAD because the web server's user can also change files on the server.
Let the paranoia begin. :P