Incorrect assumption. They could have very well be written for PHP4. As I've pointed out, on PHP4's release, register_globals was turned on as a backwards compatability thing with PHP3 and PHP.net pushed people not to use register_globals, but since many books were still written for PHP3, novice PHP developers never saw that and continued to use them.
I happen to be sitting right next to such a novice developer in which I had a fight with cause I turned off register_globals on our intranet. /boggle
Default was On with PHP4 until 4.2.0. They may have kept with the same configs used by the initial release of PHP4.0. So in fact, if they'd had it off, they would have to "turn it off".
Sounds reasonable to me. Although I would add to the fact for backwards compatability of originally built PHP4 scripts, too.
It's safe to assume all scripts are built for PHP4 or up these days. It's not safe to assume that they were all built for PHP4.2.0 as many novice PHP developers were completely unaware that register_globals was turned off, by default, in 4.2.0+ and expect register_globals to be on per 4.0's original defaults. PHP5.0 is, infact, changing that expectation.
Is there more that I should be reading here? Your argument is that PHP4's default is Off, which isn't exactly the case. Pre4.2.0, it was infact defaulted on. And DH should have kept it at it's default setting (off -- actually 'on') when any saine web administrator will be using the same php.ini file per PHP version (php3, php4, php5). And not worry about copying the php.ini-dist after every install of PHP cause they "might" have changed something to a developer's benefit.
So, in closing, register_globals was on in PHP4 by default until 4.2.0. You can assume through a reasonable guess that if they've had PHP installed since pre4.2.0, they are using the same php.ini which would conclude that setting it off would infact mean they would have to "turn it off".