#2 is awful and is damaging for the Internet as a whole and a big oversight on the Automattic's part.
“admin” as a default username + lack of out-of-the-box rate limiting of incorrect login attempts + default login page address means that any Wordpress blog is bruteforcable. WP blogs are overtaken by malicious entities all the time, every day; they are used for SEO purposes and to spread malware. I would be hardpressed to estimate the actual spread of the problem, but a significant share of all malware online is spread precisely by the overtaken Wordpress blogs.
A few of these issues could be completely avoided by using a hosted Wordpress service like Pressable or WPEngine. Both of these services offer hosting cheap enough where I don't even think about launching a Wordpress site anywhere else and it will probably be a long time, if ever, I worry about how my site is running.
This list of common oversights could apply equally to any CMS installation. Although I really dislike working in WP, I've also seen these same mistakes in other setups that clients have come to us with over the years.
“admin” as a default username + lack of out-of-the-box rate limiting of incorrect login attempts + default login page address means that any Wordpress blog is bruteforcable. WP blogs are overtaken by malicious entities all the time, every day; they are used for SEO purposes and to spread malware. I would be hardpressed to estimate the actual spread of the problem, but a significant share of all malware online is spread precisely by the overtaken Wordpress blogs.