Whole heartedly agree.
I also remove all rights assigned to the PUBLIC group/role so that a user has to be explicitly associated with a specific role. You don't come in one morning and find a strange IUSR_WebServer user in your database!
I also use NT security with a lot of my database, but NOT the NT administrators group.
I'm fortunate in that I can dictate exactly what goes on in my database so I also remove any direct on tables so that everything has to come via stored procedures.
I find that once my developers see the performance increase of stored procedures and realise how much simpler a stored procedure makes their life I find they become absolute zealots on the subject!