the problem with that statement though is that's also what happens with every internet attached device people buy. At this point I would be surprised if an off the shelf IoT/IoS device didn't have at least one root login and RCE via a command line passed in a url.
I'm talking about the big iron that provides core infrastructure to corporate intranets, and the Internet at large. Comparing that to fly by night IoT shovelware is a bit disingenuous, IMO.
But look at the industry - "Big iron" (Cisco, network solutions?, juniper, dynalink ...) have all had these issues, over and over and over again.
Given the lack of subtlety and the wide spread existence of these same exploits/backdoors/bugs indicates there's a level of care that is missing in engineering of these devices that makes it plausible that this is by ignorance rather than malice.
And then there's leaving in five separate root logins in just in the first half of 2018. Like, come on.