The OpenSprinkler controller

No, I'm not. Quite contrary.
Users do stupid things all the time.

And while I agree that things should be secure by default in an ideal world, I don't think "insecure" things are bad per se.
If I don't expose this to the internet, I don't see why I would strictly need authentication or anything like that. Plain old unencrypted and unauthenticated HTTP is just fine for many use cases. I do actually run such things (not this one, but similar things) inside of my secured network. And I really don't see the problem.

If a user connects something to the internet, it's their responsibility to check if it's safe and secure. Just like it's their responsibility to check if it's safe and secure to leave the car doors open.
But that doesn't affect all other use cases and doesn't make the product any worse.