Not everyone feels comfortable and/or knowledgeable enough to review the settings. What they really should do is to hire an admin/devops consultant, but for so many projects it's just not a realistic expectation. That's why I put all the blame on developers who chose to publish the software that's unsafe by the default. It's done on purpose for marketing/sales reasons, to make onboarding faster and easier and get as many users as possible with "simple to start using" service, at the cost of putting users in danger later on.