Such ridiculous laws. The real crime here is that the software vendor lets people use the software without creating a new password. Even that is suspect, since I bet most people's password would be 1234 anyway. So really they should force people to set up passkeys to access the system. Or, cut out the setup, and just send them a couple of USB's which allow them to access the system.

This "manufacturer" is not doing its due diligence in any way, shape, or form. They are the ones who should face jail time for not implementing bare minimum security practices.

The idea that the guy revealing a complete lack of security is committing a crime is like saying a guy informing someone that they're naked is guilty of forcibly stripping that person. Or that telling someone there's a giant red button that drains the landlord's bank account is guilty of pressing it. Maybe they should remove the giant red button?! Or at least put it in a locked room?

It might be harsh, but the general premise is good that we should not blame the victims of unauthorized access to computer systems.

We should also, as you point out, require vendors to implement minimum security standards.