Hi,
I initially thought this also, but it really only provides a login link to all the sites if you disable the setup.php script. Here’s a listing of files to consider securing/removing: http://www.open-emr.org/wiki/index.php/Securing_OpenEMR#OpenEMR
I actually removed the admin.php file from this list, because can’t really do much if the setup.php script is gone/disabled/secured.
-brady