The same can be said about building automation systems, security systems, HVAC systems, etc. I worked in physical security (key cards, cameras, alarms and the like) for over a decade and a half and the utter lack of security on many of the products was appalling. For example AMAG, the second largest vendor of key card systems, only supported MSDE or SQL 2000 with no service packs until 2012. The most expensive security camera that I ever had to install had one user, root, with a hard coded password of 1234 which could not be changed (we only installed those once, at the customer's insistence. Nice camera though). Cisco's miserable excuse for a video system only worked with XP with no service packs (when SP2 had already been issued).
The Target breach was through a remote access connection for the HVAC installers, rather than through the hardware. The entire company used a single easily cracked password on all installations to allow anyone in the company to service any site, and when they were granted remote access they just used that same password. This is unfortunately common throughout all the construction trade, we had a list of passwords that we had ferreted out used by other companies. I could have logged into any installation done by three of the six largest security installers in North America, and probably half of the others.