There's this code in debian/mariadb-server-10.1.postinst script:
On initial installation it creates world-readable /etc/mysql/debian.cnf, writes a password and then revokes privileges. This makes little theoretical gap when attacker may intercept debian-sys-maint password.
Also password goes via a number of echo calls. It might be alright since echo is bash builtin. But echo has rather poor reputation as a tool for handling passwords.
In addition to that REPLACE statement against mysqld --bootstrap is used to update password:
it bypasses password validation plugins
it bypasses audit plugins
it increases installation time (it has to run rather heavy mysqld)
as well as it increases mysqld downtime
it may fail if database has some plugin specific configs (see MDEV-8437)