Given that the state of the situation now is often "learn one password, pwn the entire class of devices", a default that was vulnerable to literally any other vector of attack seems like a marked improvement. Its easier to protect against a brute force or dictionary attack on any individual device than it is to protect against a single magic default admin credential being discovered - rate limit password submissions, lock outs after subsequent failures, etc.
Sure, if someone can look at the sticker on the bottom of my router and see the serial number and learn the default password that way without having to attack it iteratively, thats still a problem. But a random default password would have to be communicated to the end user somewhere, too... and as with most things, by the time an attacker has physical device access you've already lost.
Sure, if someone can look at the sticker on the bottom of my router and see the serial number and learn the default password that way without having to attack it iteratively, thats still a problem. But a random default password would have to be communicated to the end user somewhere, too... and as with most things, by the time an attacker has physical device access you've already lost.