I know never to trust software written by hardware folks, but seriously, how do you ship a key where the CN is literally "DO NOT TRUST -- AMI Test PK" as the root security. That is outright malicious incompetence.
Because nobody ever looked at the text of the certificate. It was probably a binary file checked into the source control system and, since it seemed to work, nobody ever looked at it.
The only winning move is not to play. AMI should never have distributed test certs to begin with. Give your customers instructions on how to generate self-signed certificates (assuming they are accepted) or setup a dev CA that will sign test certificates. Then the damage from a key leak is limited to one vendor.
Probably came as part of the dev kit from AMI.