Yep, yep and yep. Sticking a device out there with a public IP and nary a clue about how to lock it down (or even that it should be locked down in the first place) is inviting disaster. That's why my company sells cellular connectivity with decent network options - like assigning private static IPs, and routing all the cellular traffic to the customer's datacenter - effectively pulling the device behind the customer's corporate firewall, no matter how the device is configured.
Of course, they should still be DMZing the devices within their WAN, but at least some schmoe on the internet can't root the device with a portscan and two minutes of websearching for a setup manual. Not that there's anything new about that: http://www.theregister.co.uk/2011/05/03/cop_car_hacking/