I'm not trying to beat anyone up over this, but I don't see how the coming and going of those with admin access is relevant to security. Not everyone with ACP access has full access. We utilize the in-depth permission system to give team members certain scopes to work with. But even with a small team that rarely changes, their IP will change quite often, which means using a firewall to block access will be impossible without some type of custom integration.
2FA does solve the problem, but I (and I'm sure others) would prefer not to have the page accessible to anyone. Given IPS is a well-known software, the default location is easily accessible and is a very common path that many other CMS's use. It would make me feel better being able to set a unique name so people can't stumble upon it, even if it's secure.
Was there any particular reason this feature had to go? I agree it didn't make much sense in regards to security, but it didn't hurt? I feel like the usefulness of this was underestimated when this was decided upon. The lack of a deprecation warning until now seems a bit odd as well. Surely this is going to be overlooked up until IPS5.