Post-Solarwinds, hopefully people will wake up to your point - any online device using components and softwares from complex supply chains isn't good enough. Heck, Intel, Microsoft and Cisco were breached through that, and that covers a very significant portion of the supply chain of the devices and software people use today (though admittedly not for the one example of an iPad).
Even if they want to use them for ML, this shouldn't be reason to reduce the perceived sensitivity of the data to let them sit on an online device, as the harm hasn't reduced. Hopefully we'll see more threat models based on the impact of harm, not on the convenience to business.
In most decent frameworks (NIST, COBIT, PCI-DSS) the changing of default passwords, removal of (unecessary) default accounts, and similar controls is a MUST. The network admin who doesn't do that the minute they add a new device on their network should lose their job. The companies who have IT Sec, and IT Auditors who don't check for this should also lose their jobs (or they should all get educated and keep their jobs).
These are basic stuff, a newbie IT should know these things.
I will also assume that (large) organizations test the updates, and have an action plan in place (i.e. apply fix/patch/update XYZ, study what it does, read the documentation, make the future-state-config, deploy that config, validate the config). I know, simple words, we 'all' (in the profession) know this but when you need to patch x1000, and the boss is barking.......
The specific problem on network equipment (i.e. Cisco) is actually that these "default" accounts are really backdoors, since they are not exposed in a list of accounts in the UI or shell interface.
Therefore auditors will look and find nothing, but the accounts are buried there within the system if you know about them (i.e. by exploring a firmware dump and finding the password hash and reversing it).
If they are undocumented accounts (backdoors in the devious sense) then yes, we cannot do anything about it, just try to pentest the shit out of the equip, fuzz it, and pray to our god(s) of choice and pray we get lucky in these futile experiments.
If these are documented (e.g. IBM has these notorious RedBooks of 500-700-1000 pages) then one should spend the time to study before implementing, securing, auditing, and-other-verbs.
Again, the only 'excuse' I can accept (not really) is that "management" knows that the staff is not enough and they cut corners.. in which case you crucify the COO in your report, not the poor admin(s).
Even if they want to use them for ML, this shouldn't be reason to reduce the perceived sensitivity of the data to let them sit on an online device, as the harm hasn't reduced. Hopefully we'll see more threat models based on the impact of harm, not on the convenience to business.