You know it's kind of ironic. How is the customer even supposed to know how insecure these systems are without blog posts like this one so they can avoid bad companies?
Actually, unless the customers are as incompetent as the makers of these devices, they should have asked themselves how come they could configure their device with no authentication, and if they could, who else could.
This is not really a bug, this an unfit design.