Sure, it's one rule for them, and another for everyone else.
But, lets be reasonable for a second, Japan is concerned that if people's networks aren't secured before the Olympic games, these vulnerable devices will be used to disrupt systems by outside attackers and potentially costing the country significantly.
It's well known that IoT devices on the market are poorly implemented and poorly secured and rarely-to-never updated by the manufacturer.
Note that Shodan doesn't try to authenticate with the devices - not even using default credentials. This is different than what Japan is proposing; they want to try various default credentials to identify devices that could be used for various attacks (ex. Mirai).
But, lets be reasonable for a second, Japan is concerned that if people's networks aren't secured before the Olympic games, these vulnerable devices will be used to disrupt systems by outside attackers and potentially costing the country significantly.
It's well known that IoT devices on the market are poorly implemented and poorly secured and rarely-to-never updated by the manufacturer.