I'm new to Symfony. Is my understanding correct that the User class is actually for controlling sessions? But is there built-in login and account creation? I'm not finding it. But if there's an admin backend generator, how can it function without user logins?
The myUser.class.php file is the session controller/storage, yes. You can create your own security module if you wish, but many use the plugins mentioned in nselikoff's answer. They're not perfect but they do a decent job. Whichever ORM use, you should definitely start with one of these plugins, and extend/improve them if you need too.
Your admin generator modules are not secured by default, no - it is up to you to implement a security layer. As an aside, don't think of admin-generated modules as exclusively for a backend/backoffice purpose, as there may be some reason for a frontend app to require one. Certainly a system you use internally at your company or at home on a local webserver doesn't need a security layer to function.
Changing the security.yml file to secure an app, module or action requires you to specify the login page in your app's settings.yml, but the security plugins will help you configure this.