Yes.
The password is sent after the encrypted connection is established, but the remote server gets the password in plaintext.
If you care about that, the best and easiest solution is to use SSH keys.
If you have machines that cannot accept keys, then one solution would be to create a tool that stores your passwords safely, and then uses sshpass to always send the correct password depending on the server you're connecting to.
Now, the reason the password is sent in plaintext, is that it leaves all decisions of handling and storing it to the remote end, and the client can be totally dumb. There are a couple of different password hashing (storage) formats used in Linux and BSD systems during the last ten years or so (crypt(3)), none of which require support from the client.
Though that's partly because of history, too (i.e. it's always been like that). There are better challenge-response authentication protocols that could be used even with passwords. For example SRP, that provides the parties with a shared secret during the authentication. It has been implemented for some SSH servers, but the patch for OpenSSH is for a (very) old version.