Good news, bad news.

Good news is, I get the same results in my tests. :-)
Bad  news is, I get the same results in my tests. :-(

SYSSTART did see the STARTSESS but since the password was not supplied
and one is required, it issued 2 error msgs.

Invalid Password For ... During Logon (JS 65)
Missing Password (CIERR 1444)

And the logon appeared to be abandoned.

I was then prompted for the password for the default logon to
OPERATOR.SYS (without the session name).

I also tried a START NORECOVERY LOGON=w,x.y,z  and that simply replaced
the default OPERATOR.SYS logon.

Bug or 'feature'?

I found an RCAN (Response Center Application Note, remember those?) #28
The Startup State Configurator that has a note that says that any
commands that require passwords must be included in the file. It also
mentions that the COMMAND intrinsic is used to execute the commands (not
sure if this is still the case).

I saw other docs in our database where CIERR 1444 was return by the
COMMAND intrinsic on a STREAM command where passwords were omitted from
the JOB card.

The examples in the System Startup, Configuration, and Shutdown
Reference Manual show hardcoded passwords.

So, it seems that it is more of a 'feature', er, 'known limitation?'
rather than a bug. I agree that leaving passwords in a file in PUB.SYS
is undesirable. The RCAN addresses this by suggesting the use of ALTSEC
after  editing SYSSTART. While that does solve it, I personally would
forget.

I like the suggestion that Russ Smith made:
> How about this?  If your console is in a secure location and your SYS
> account (and possibly OPERATOR.SYS userid, as well) is passworded, why
> not modify your logon UDC to test for HPLDEVIN=20, HPJOBTYPE=S and
> HPJOBNUM=1 to bypass the need for a session name.  If you have the
> ranges for SESSNUM (use SETCOUNTER to set iterations) set to preclude
> session number 1, this should be secure.

HTH