Some manufacturers do ship with randomized passwords and it's good practice.
My own view is that there's an essential piece of hardware missing from such devices: the write-protect switch. Frankly, nothing containing firmware should allow that firmware to be reprogrammed, without the user first manually setting it to writeable.
If these devices shipped write-protected, any crackery could always be un-done by resetting or power-cycling the device.
Manufacturers eliminated the write-protect switch to save a few cents (and, they say, to avoid confusing their lusers). Legislators would do well to mandate it back into existence. It should be plain illegal to sell any piece of hardware missing such an obvious and cheap security measure.