Since there are certain operations that can only be done with the root account, there is no way to disable access to it.

Since 2024 you can disable the root credentials on all accounts except the Organization management account: https://aws.amazon.com/blogs/aws/centrally-managing-root-acc...

I don't think the post mortem details whether the root access was on the org management account or an org member account.

Oh wow. I completely missed that change.