I think you'll find that most embedded hardware has your "broken" IP implementation. Probably partly because it's more work to set it up correctly, but also because there are a lot of times where installers in the field or repair people in the shop have no way of knowing what the IP address of this stuff is supposed to be and need to be able to get at it. Devices that I have personally worked with would include a plethora of security cameras, Seimens I/O panels, Lantronix and Mercury TCP/IP to serial I/O converters, AMAG security hardware, two kinds of infant abduction systems, intercoms, and emergency alert systems. Some (most?) SCADA hardware is set up that way as well, I've been told. I suppose the reason why this isn't really considered a security issue is that you need physical access to the device to make it work.