It’s an interesting discussion. I saw too many access logs full of bots looking for the wp-login.php. In general any CMS suffers from that issue. In fact any login protected site or service suffers from it. If you are afraid of the panel login being exposed, what about the Facebook login, Google login, Dropbox login, etc.?
Though I agree with @lukasbestle that hiding can give you a false sense of security, I think it’s still a good first measure to protect you from unwanted login attempts to move your login page to a different URL. That’s why you can simply change the panel folder name in the upcoming release to anything you want and it will still work (you need to adjust the rewrite rules of course) Once the version is out I will also add this to one of the recommended steps to secure the installation.
Additionally the new version will have brute-force detection built-in, which you can configure to limit the number of allowed login attempts.
If you change your folder name to a long random string in addition to extra brute-force protection you should not need to password protect via htpasswd additionally. In such a case I’d really recommend to move your panel to a staging server and go without the panel on your production environment.
In general most hacks of content management systems I’ve seen so far are actually made through weak FTP accounts without encryption or with a super short password. There’s no need to hack the web interface of the CMS in such a case.