The most comments don't have understood, how a system is pushed into production and how all the components of an application/platform are correctly designed.
First, you must separate between development and production. For development, I don't want to setup an bunch of users or other security constraints. So, no default security, that only would slow down development in the first place.
If you implement a web-application and deploy it to JBoss, where should the application know, which sites should be secured?
So, you have to think about security on your own, and not only for database, but for every component, you use.
If the development went on and a prototype or Alpha-version can be deployed to the outside world, then you have to deal with security and you have two options:
1. synchronize the production environment with the development environment (e.g. have a dedicated process for the authentication and desired users and so on)
2. introduce a develop-mode and a production-mode, and accordingly to the different modes, the connection to the database is established secured (via external configuration, so no different codebase is used) or unsecured
And, of course, if you reach your database-server via a direct internet-connection, this is never a good idea. Your application is the interface, nothing else. So the database should never ever be reachable over the internet, only through the application.
In one comment, it was mentioned before: If you give something to production and only use "defaults", you are lost. You have to deal with your software and the components, you are using like ApplicationServers, Databases, Queues, Distributed/Shared Caches and so on.
And finally, if you don't have the time to administrate the database, then why not trying out MongoDB-ATLAS? These connections are completely secured from the beginning, use SSL, so everything ok here, too.