Hi,
It is indeed a very common pitfall, though it is uncertain why so many people ended up with insecure configurations. For example, I can see in Ubuntu's package logs that the bind_ip line has been there since at least 2011, so any mongodb installed after that date should have been secure unless the user explicitly changed the configuration.
Were you the only person using that machine? Have you ever changed the `/etc/mongodb.conf` file? Have you ever tried to connect to your mongodb server from outside before? When you followed the Passenger deployment tutorial, was this a newly provisioned machine, or did you run Meteor on that same server before?
The answer to one of those questions should point us to why your server was configured insecurely.
Kind regards,
Tinco