The worst part is, built-in security defaults mean poor architecture decisions still work and are "secure" on the parameter - enough to get a tick from a big pen-testing firm or stop it showing in Shodan. So these people think they've done a good job. Software developers aren't immune either - while code scanners can find secret strings, it doesn't stop code being implemented in a bad way.