If it had a default creation setting, it would be much easier to crack most user's passwords. There's still a motivation issue, but that's not a solid defense.
A lot of security processes are not designed for say state actors with library of 0- days or monopoly on violence(i.e. $5 wrench) that doesn’t make them bad.
Security is a spectrum, perhaps some subset users needed a more secure system most probably still benefited from this tool ?
