There's probably 100x more cell towers than there are water plants. The impact of hacking a cell tower isn't direct loss of human life (granted, knowing off a large number of cell towers would be very disruptive). The answer to the question "should it be online" and "how much $$$ should we spend securing it" is going to be different in these two cases.
I think there's also a fair question of "ownership of damages" here - cities get sold water treatment management systems and want them online as cheaply as possible - city councils end up owning the mistakes in misconfiguration but companies selling the systems are incentivized to make those default bad configurations possible - even while, in bold lettering, mentioning that you should not use the default authentication.
Cell towers are a really integral part of carrier's business - I'm not certain whether most are owned by providers or other companies, but either way the folks that put the tower up owe the customer (be it a phone user, a phone provider or some subcontactor of the provider) an explanation and pay the costs of bad configuration... I'd also assume that making sure these towers stay up is someone's fulltime job (likely multiple people) - while there won't be an employee constantly monitoring city water systems since it would take so little of a single person's time.
I'm not sure I agree that this is /wrong/ per se - the issue arises from the city council's disinterest / lack of expertise (which itself comes from disinterest) in these systems. If the issues are disclosed clearly, and the city council continues to sign off on the implementation (due to disinterest, cost pressure, whatever) without consulting knowledgeable third parties, then it's only realistic that the blame falls on the ultimate decision-maker (in this case, the city council).
The issue is that that strikes me as being incredibly socially inefficient. This town is probably going to be suuuper careful with water system security from here on out but the next town over might hit the same issue a few years down the line. There probably aren't more than a few dozen vendors of this type of service nationally and it'd be easier to learn the lesson at that consolidated level.
impact of hacking a cell tower isn't direct loss of human life
Not a direct loss, but plenty of opportunity for indirect loss. Disrupting emergency systems is the first that comes to mind. Covert hacking and surveillance could also be used for assassination plots.
