Separating the two machines makes sense for more reasons than just the possibility of a physical attack on the machine(s) in question. If the two are in different physical locations, they likely will connect to the rest of the Internet via different physical connections. This means two things:

First, physical attacks, or just physical plant accidents like a fire in a wiring closet or a construction crew digging up a trunk cable, are less likely to take down multiple machines.

Second, since one of the points of a network DOS attack is to saturate the target’s link to the rest of the network, two machines with separate links to the network are more resistant to some attacks than two machines that share a link to the network. Moving to a new physical location most likely has the effect of making them use two different links, and is possibly easier/quicker/cheaper than running a whole bunch of duplicate cable, switching equipment, etc. to the common location.

The physical distribution of the root servers and the large number of them compared to the demand on them, has set a fairly low bar for their security. But now that we know that a DOS can get us within just one or two machines of crippling the network, the cost/benefit ratio changes, and we have to consider more, and more unlikely, vulnerabilities. It’s still certainly possible to overdo it, but it’s not necessarily unreasonable to take more precautions than we used to take.