Back in the olden days, equipment like this had serial port configuration interfaces which were intended for use by nearby administrators, via terminals and small local networks with no connectivity beyond the local facility. If longer distance administration was required, it was over dedicated copper loops. The internet was simply not used for these kinds of systems, and the idea that those devices would ever end up on a globally-accessible network with millions of untrusted devices was incomprehensible. As technology developed and the internet took over as the primary means of long-distance networked communication, these legacy devices were incorporated into a network environment that their engineers had never even considered. It's just not what they were made for. The devices are not to blame. Engineers and administrators who put them on public networks certainly are.