In many ways, anybody that leaves an management port open to the internet is to blame. It's not even security 101, it's sysadmin 101.

It's like leaving a BMC open to the internet: these things are built with no security in mind, and can be rooted as soon as they can be connected to.