This is by design.
Letting every user run"sudo" with only their user password effectively gives every user administrator privileges for the system. This means that a malicious attacker only needs to obtain any one of the user passwords (which is a much simpler task than getting the root password) to get full control over the system. By requiring the root password for both "sudo" and "su", we are effectively ensuring a higher level of security by separating the "casual" user accounts from the system administrator account.
Now, in order to allow users to run specific "root-access" programs without requiring the administrator password (like the mounting utility), we can add specific exceptions to this rule in the "sudoers" file. So if there is a specific program/utility that you (as the system administrator) would like the regular users to be able to run, you can do the same (just edit /usr/local/etc/sudoers).
~ Ken Moore ~