Not sure if I would locate the problem in a default password here. Some devices feature unique passwords, but that comes at the price that if this password is lost, the device might become defective and only the manufacturer might be able to help.
If you have an internet connected fish tank, you need internal IT. There is no way around that. The fish will need updates at some point I guess.
I think digital literacy should tell people about the dangers of default passwords. I am guilty of not changing those as well because of pure laziness. So maybe this might help.
Raspbian 'set the tone' of insecure by default and it seems it took legislation to improve matters.