The index.html method will only work on a server that is configured to look for index.html:
While that is the default, on a PHP server the default is usually overridden. Showing directory listings is a bug in the server config and should be addressed there rather than adding four hundred blank index.html files to the distribution.
Consider the case where you add a directory for something (e.g. if you want all product images for a particular manufacturer to be in a sub-directory of images). Now there is a directory that is open to being viewed, because there is no way for osCommerce to add an index.html file to a directory that is added later, by an outside program.
Properly securing an osCommerce site requires a properly configured server. There's no getting around that. An important example is securing the includes directory so that its files can't be hit as PHP files directly. Or securing the images directory so that it won't allow PHP files to be run from there. Or setting up the ownership and permissions of the images directory so that a generic server account can't write to it but the osCommerce admin can still add images to it.
Adding blank index.html files is the wrong solution because it *mostly* works. Because it mostly works, people will tend to act as if it entirely works. It's better in my opinion to have a solution that doesn't work at all, because at least then it will be visibly not working and someone will be able to see that it needs fixed.
Modifying the osCommerce .htaccess files is better, because even if that is not working, it completely does not work -- it even shows what needs to be done to get it to work.
Always backup before making changes.