Yea, devices like this are commonly built as cheap as possible, and using things like software component analysis typically doesn't happen. And while I can't say about this company, I've worked with other companies that contract/subcontract out building the software for devices like this to the point there is little to no internal software security culture at the parent company capable of identifying potential problems in said software. This is further exacerbated the the previously mentioned 'as cheaply as possible groups' quite often having poor control over their own employees and intentional hacks/data siphons being bundled with the device.

I've seen larger firms that have come to own some software like this from buyouts and on the first analysis they'll find hundreds of shockingly easy exploits like RCE's in them.

Along with this I've seen the number of software vulns reported by closed source software is no where close to what they find and fix silently at a huge number of companies.