To develop for WordPress, I did what everyone else does and Googled examples. None of them had this, which is an issue as it encourages insecure style.
I think that an update to WP that simply rejected all posts that do not have a _wpnonce would not be a bad thing.
As to the nonced value, I'm not sure how much additional security is added by using more than just the user name (+salt) as the nonce hash. If an attacker could already log in as the user to obtain the nonce then the game is over anyway. The trade off being that using a standard nonce means that WP can always check its value automatically.
On annoyance is that wp_nonce_field adds the ever growing request field by default. Is it protected by the nonce? Not clear how to utilize it, I just turned it off.