But still may have known default passwords and are through sheer luck not exploited.
Support-friendly (not necessarily consumer) practices like that remain a problem.
When a device is designed to be online 24/7, it should be secure and not shrug and hope that it’s being placed behind a firewall.
