Yes it is. It takes advantage of a known vulnerability to spread.
You can't expect a non technical person to understand the importance of strong, unique passwords. Most people can't remember more than one (and a simple one, at that).
I don't really see from that article what the issue is. It just tries to SSH into your phone, and if you left the default root password, ta-da, it's in; then it tries to use your phone to SSH into other people's phones.
Is there some part of the story missing here? The only vulnerability I see is that foolish people are allowed to run SSH servers on their phone.
Well if you don't see the potential vulnerability in that, I guess there's no point arguing. Back when Linux distro's shipped with all services enabled out of the box, and sometimes with default passwords, people used to say "oh that's not a real problem, it's the stupid users." Well maybe so, but that doesn't reduce the amount of rooted boxes. So as people wised up, and the hardliners were told to shut it, things moved to 'secure out of the box' (for some definitions of 'secure') setups. Hardware-locked phones are the next step of that. There may be (misguided) commercial interests in trying to control the software; most real-world issues with a higher complexity than 'what will I have for breakfast' are multi-faceted. All that said, there is a real case to be made to control the setups of devices that are supposed to 'always work'. That's all.
