The [software] developers are somewhat limited by the capabilities of the device. I'd imagine that these are fairly simplistic modems + microcontroller with not a lot of memory to work with. A full-on SHA implemented algorithm is likely beyond the hardware though some kind of hash should have probably been used - assuming the hardware side used it.
It's all very well saying something like this should be locked down but easier said than done. At the end of the day, it's up to the device manufacturer to provide the functionality, and software to ensure it gets used.