I would like to point out that this is not specific to IOT. I deal with lots of servers and enterprise networking gear at my job and many of them come with hardcoded passwords on ipmi / networked admin consoles.

The difference is that your average Joe doesn't even know he has to configure these devices, let alone how to configure them.

Xiongmai has a history of oopsies this big or bigger, going back several years at least. Their software usually turns out to be spyware, whatever their intent may be.