Pretty much every enterprise vendor has or will make the “hardcoded credentials” mistake, this year alone I see announcements from Cisco, Juniper, Fortinet …
One of the biggest vulnerabilities I personally discovered and published involved a vendor’s use of hardcoded credentials in sensitive appliances… that was well over a decade ago. As an installer of “enterprise grade” IT infrastructure, I don’t want any remote backdoors in the products I deploy. If recovery is required, make it dependent on physical access, or at least require use of a serial port.
The only real improvement I’ve seen in the past decade is that nowadays most vendors give the option to disable telnet 
