It's a matter of configuration choice.

I originally had the comments enabled. But I'm not confident that I'd be able to monitor the server properly and update the gallery software if someone finds a PHP exploit that takes advantage of the comments field writing. So I disabled them.

That's the sort of thing that usually get compromised when a server is broken into: Little known bugs in publicly exposed input fields like that. I'm not saying there's exploits in the comments feature now, I'm just saying that if someday a bug is discovered, I'd prefer to know that I wasn't exposed to it instead of losing sleep over it.

It was a really hard decision, because I really like the comments feature and would really have loved to get direct comments from everyone.