IMHO (of course), the man pages or some file should state why the program
is set-uid/set-gid.

Failing that, or maybe in addition, it would be VERY nice to have a list
of all the setuid programs and why they must be setuid, so a sysadmin
can easily identify the ones that don't need that functionality on his
or her system and remove the suid bit.

Note that I'm not suggesting we not fix bugs, but this is rather a
default-deny stance that prevents you from always playing catchup
(a game many do not have time to play).

(This in wake of several free Unix suid problems on programs like pppd,
 rdist, dip et. al.)