IME, it is sort of by design.
I have worked for a number of companies developing forms of embedded products. It often felt like nobody really felt like the product was 'complete' until we were 8 or so major releases into things. So you wind up with things like SSH, FTP, etc. either directly enabled, or easily enabled via a not-very-well-hidden method to allow the dev or support teams to get into devices that were not behaving properly in the field so that they could diagnose/fix issues.
It's only been about the last 4 years or so that companies have started to realize the risks in operating this way, and I feel that a lot of that has been brought on by the end-user/buyer organization starting to require cyber security audits and asking more questions about cyber security during the buying cycle.
Indeed. The biggest immediate risk to a newly developed product is that it won't even have any users, much less a sufficiently interested attacker. So why add initial obstacles for yourself, right? So yeah, if effort to increase security is not valued by the buyer it ain't gonna happen.
It's only been about the last 4 years or so that companies have started to realize the risks in operating this way, and I feel that a lot of that has been brought on by the end-user/buyer organization starting to require cyber security audits and asking more questions about cyber security during the buying cycle.