Does DBAN wipe the Host Protected Area ("HPA")?

No.

Most vendors that are using the HPA have a toggle for it in the BIOS setup program. Future releases of DBAN may override or dishonor the HPA.

However, there are other erasure solutions that have the capability to detect, report and overwrite locked and hidden sectors such as HPA, DCO, and remapped sectors.

Why not now and why not by default?

Some vendors are using the HPA instead of providing rescue media.

Wiping the HPA would surprise and strand people that expect the HPA to have rescue materials, and it often results in OEM technical support marking and abandoning people that do it. The HPA is a low risk because it is not accessible during normal operations.

DBAN defaults are chosen to best protect people with a minimal understanding of this kind of problem. This point is still open for discussion in the help forum and in the appropriate bug ticket.