I'm not missing your point. Your point is wrong. Listening on all interfaces is acceptable because this is infrastructure software, and wiring up MongoDB on a publicly accessible and unfiltered endpoint is an antipattern, authentication scheme or not. If you choose the shitty deployment, like public IPv4, it's on you to actively configure the software to support your shitty deployment.

The default that isn't secure is your expectation of secure software regardless of the accessibility of the endpoint. You don't get to punt those assurances to MongoDB and file "unacceptable" JIRAs to add some other lightly-reviewed authentication scheme to software that doesn't need it. It's on you as an administrator to secure your database, and step one is not default permit to an endpoint on which you can find your entire database. Let me guess, you want authentication via HTTP basic for all of your backend services but rolling a CA and doing TLS client auth is outside your budget and time?

I have been doing production operations for a while. There's two schools of thought: "the defaults are unacceptable," and "I should really be applying defense in depth to protect my infrastructure and own responsibility," and I actively hire the latter. There are a lot of the former, and we're seeing their databases in this post.

I wouldn't worry so much. What can you infer by that? It's completely normal that people working on database engines don't know that much about operational stuff like what network connections to listen to. The product I used to work on, for example, had this exact same misfeature. The real motivation for fixing it was that developer machines would be listening to the outside world, whenever we or our users ran tests and such. The idea that people would run it this way in production was completely foreign to me, personally.