Crap security devices
I used to work with Modbus based devices that had tried to implement security. They had added an extension to modbus that required you to send a special message type with a password before they would respond to any other requests. After a period of 30 minutes idle, the password would be required again.
When they implemented it, the devices used serial connections for all their comms so it wasn't so terrible (just not great); unfortunately someone had later thought, we can add a serial to ethernet converter to the back of the device and sell it at a huge premium (over $3k). This meant that you had an authorised computer that would unlock the device and then poll it for data every minute so that anyone else on the network could just make requests and it would respond without requiring them to authenticate. The device's software didn't understand that the requests were any different to the ones from the authorised computer as it only understood serial.
Good example of how companies can add functionality without considering the security consequences. And these devices were from the market leader who had sold tens of thousands of these devices around the world, many of them controlling critical infrastructure with potential for huge damage (and potential loss of life) if they were tampered with.