pam_securetty was removed from /etc/pam.d/login with the argument that remote
logins use /etc/pam.d/remote anyways. However, when using a serial line with
getty that is usually not the case and I think the original use case for
pam_securetty. So in order to keep existing configs working and make use cases
like machinectl work at the same time I'd suggest to put pam_securetty back
into the config file but not ship an /etc/securetty by default anymore. Without
/etc/securetty pam_securetty would just fall through.