Finally, a topic where I'm an "insider" as it were...
AC, obviously.
Quick background: I work in major DVR/NVR company which provides video management, CMS and general Orwellian monstrosity solutions to many corporations. Not an integrator that puts together solutions from off the shelf parts, but one of the vendors. My job is lead integration engineer, I ensure that all third party IP POS and IP camera solutions (all of which speak different protocols, thanks total lack of industry standards) can speak to our video management systems, and write the glue code to make it happen. I also do coding on the NVR system itself.
Now, given what I've said above, it's fair to say I'm an expert on camera offerings. I have complete lines from several vendors cluttering my storage area and have seen hundreds upon hundreds of different models of camera. I also routinely VPN into sites and see what the real world multi-million dollar camera installs look like.
What you're seeing here is STANDARD PRACTICE. Offering a motion jpeg video stream over HTTP is a basic feature that all cameras have for quick and dirty integration. Very few of them password this stream, because it's inconvenient. The few that do use only clear-text HTTP authentication anyway. Also, in practice maybe one in a thousand sites, if that, changes the default password. Don't know the default password? That's fine, industry websites publish master lists, just Google. It's simply how it's done in the industry.
The only reason TRENDnet is getting burned is because they're a consumer outfit, and bizarrely consumers care way, way more about network security than enterprise users in the physical security segment.