They'll probably just use the MAC for the initial password because, as you say, the device has almost certainly already got a printed label with it on and it doesn't involve any special characters, so no change to the manufacturing process at all - just a bit of code and a documentation update. Equally, a hardware reset would simply reset the password to the MAC as well as wipe any config info, so no issues with generating extra e-waste, unless the device with shit to start with (we are talking IoT afterall).
It's a start, but MACs are 6-octets, and the first three of those are the vendor-specific OUI, so a dictionary attack is definitely possible without a mandatory password change on first boot if you can fingerprint the device, work out the vendor, then look up the possible OUI(s), and anything else they may have done - like including the brand/model name as a prefix. Three non-specific octets is ~16.7mil combinations, so well within reach of a brute force attack given even a modest amount of time & bandwidth. Of course, the chances are non-zero that unless they're also forced to use something with more entropy the user will just set it to something stupidly easy to guess like "password", but that's now the user's problem.