[g_p]

The specific problem on network equipment (i.e. Cisco) is actually that these "default" accounts are really backdoors, since they are not exposed in a list of accounts in the UI or shell interface.

Therefore auditors will look and find nothing, but the accounts are buried there within the system if you know about them (i.e. by exploring a firmware dump and finding the password hash and reversing it).

[HenryBemis]

If they are undocumented accounts (backdoors in the devious sense) then yes, we cannot do anything about it, just try to pentest the shit out of the equip, fuzz it, and pray to our god(s) of choice and pray we get lucky in these futile experiments.

If these are documented (e.g. IBM has these notorious RedBooks of 500-700-1000 pages) then one should spend the time to study before implementing, securing, auditing, and-other-verbs.

Again, the only 'excuse' I can accept (not really) is that "management" knows that the staff is not enough and they cut corners.. in which case you crucify the COO in your report, not the poor admin(s).