Well, there is no such thing as absolutely secure, short of disabling wireless and pulling the network cables out.
Seriously, it's more about how much security you find acceptable.
of course: change root password, make WiFi secure, good ssh and user passwords, ... but:
That's for sure, but in addition you should also delete all SSH keys that the plug was shipped with and generate new ones.
- should I disable the root-user (like it is default on Ubuntu)?
This is a matter of opinion. Many people consider it a good idea, but personally I believe it only gives false sense of security.
- Is the GuruPlug (or also the Sheevaplug) secure by default or is anything running that I should take care of?
No, it is not. For one thing, it has unencrypted wireless network activated automatically. Who knows what else.
I would strongly advise you to setup a firewall to block any communication except those you explicitly allow. There are lots of "how to" out there.