What's the systematic cause behind why organizations like this never bring in the kind of talent and thinking necessary to really solve problems like this? Would they do better if they reversed all the decisions of the hiring committee? Or if they wrote a standard and then had somebody else write a standard that did everything differently?
Diffie-hellman would not be enough if there is a MITM at the time of the exchange, would it?
Somehow the control panel and the reader must authenticate each other. I'm no security expert but only way I can think of is to use some pre-shared key. A key set via a trusted side channel, or at a time when the osdp channel is known to not be intercepted.
I guess the default key is a problem too. Mainly since it might trick developers/manufactures that this somehow makes the key exchange secure if you use it while setting a device unique key.
I do work with OSDP devices and I have heard this argument from manufactures, like "we only support setting a new key while using the default key, it's more secure that way".
While it, at best, will just obfuscate the process.