This is especially surprising because Firebase provides authentication APIs that do the right thing by default. This means devs are doing more work to get to a less secure solution.
Or treating it like any other database; and just using it because its 'popular.' Those 'developers' who do that (use popular just because,) are just the people who stain the title.
I think what firebase provides has changed over time. These problematic instances maybe be legacy.
And the difficulty of setting up firebase's auth may also have changed over time. Did they always have hosted user/password auth or did they rely on third party pre-google?