The default ulimit on max user processes is so high, it doesn't serve as protection. An admin must find much tighter limits to make a box more secure against fork bomb DoS attacks.
Fork bombs have always been of little concern to admins. They do relatively little damage and are completely traceable. The perpetrator does little more than land himself in a lot of hot water. In most cases, the threat of disciplinary action is enough protection--it's not an attack that can be launched anonymously.
In the extremely rare case where fork bomb protection is a big enough concern to warrant reducing the process limits, the administrator can impose whatever ulimit he wants. However, this is the exception rather than the rule.
