I'd be hard pressed for blaming them tbh. I think the reasoning is that these are internal services you should put behind whatever measures you have put in place anyway and not expose otherwise. While the previous comment is technically correct about being unsecure by default, they also don't listen to the outside world (see [1], network.host) by default. I've always thought that makes sense for elastic tbh, security isn't their core business so by leaving that part up to you they avoid screwing it up.
The same could be said about MySQL - but even that switched to entering a root password and disallowing root login, as well as not binding to any network interfaces until explicitly configured to do so. Of course this can all be overridden with simple config changes but it's relatively "secure by default".
[1] https://www.elastic.co/guide/en/elasticsearch/reference/curr...