Changing a default password is not difficult. As you say, it can even be enforced* on 'first boot'.
However, ensuring the new password is recorded properly and securely, and available to all those authorised to use it is rather more tricky. It certainly isn't right, but many take the view that having the password recorded in the documentation is positive, and changing it from the default is a disbenefit. You then also have the fun of deciding who should know the password: is it role-based, so any sysdamin for that system should know it, or should it be account based, so everyone who needs access should have their own account and password (which brings in a whole new level of pain and bureaucracy). Throw in a requirement for accounts to have 2FA, or single sign on, or conform to some other corporate standard or other, and you can understand why some people just keep quiet. It might not be right, but choosing the option that is most likely to give you and easy life here and now, rather than looking for bureaucratic trouble is, not unpredictably, a popular option.
Password and account management is not standard across (IoT) hardware. There may not even be an applicable international standard.
*Unless you do something like break out to a command prompt and bypass the 'first run' script. Not that I have ever done such a thing.