Absence or presence of auth is irrelevant. You're database servers, message queues and other infrastructure shouldn't be accessible from the internet. No auth protocol can protect you from this.
The stakeholder who blames just one layer of security for a breach is gonna have a bad time. Truth is, the same reason why people don't change the default (no security) also explains why the server ends up too close to the border. They're cheap and/or ignorant.
Everyone is ignorant of a product until they build experience with it. No baby is born with innate knowledge of how to configure properly a Mango DB!
If a product is misconfigured by default and it takes expertise in the product to not leak data, then the product is unfit for purpose, it will burn anyone who wants to learn it.
What if you learned that Linux had a massive security vulnerability that leaves the OS open for remote code execution. What would you say if a Torvalds would laugh at its users, saying that if they didn't change that low level kernel security setting, the users were ignorants and deserved their troubles?
I think no one can pretend he understands all of the settings in the hardware, firmwares, drivers, kernels, many other OS layers, database, etc. We rely on having safe and secure default settings, and it is the only way an insanely complex machine like a modern server can be usable.
> What would you say if a Torvalds would laugh at its users, saying that if they didn't change that low level kernel security setting, the users were ignorants and deserved their troubles?
Many infrastructure services don't have any auth at all. This doesn't make them bad. This just means that these products have been developed for trusted environments. Even if MongoDB would have been configured properly by default it shouldn't be exposed on the internet anyway. And you can't blame devs just because somebody doesn't know how to configure iptables.
Absence or presence of auth is irrelevant. You're database servers, message queues and other infrastructure shouldn't be accessible from the internet. No auth protocol can protect you from this.