Does Magento have default passwords? I'm doubting it. Opencart, doesn't, but it's mentioned here too. More the problem is that people are using stupid passwords when they set up their sites. "admin/admin" or "admin/password". It doesn't take a rocket scientist to figure that out.
But unless somethings completely wrong with Magento, it doesn't seem fair to throw them under the bus. It's the site owner and possibly their developer that are leaving these sites wide open for being hacked.
Worse, is that many of these sites are deployed on shared servers. Which means that because default security, anyone with a hosting account on one can go on to read the files in every other accounts home directory. Including, database credentials! At that point it's game over
Opencart USED to use a combination of MD5/SHA1 that would be easy to brute force. In Opencart 3, it moved to Bcrypt (I was responsible for the pull request). A trip to Github says that Magento still uses MD5 or SHA256 for its password hashes. This doesn't do anything for the security of the server itself, it only helps protect passwords from being guessed offline.
Really, there's too much money at stake. I'd be surprised if credit card processors allow customers to connect from shared servers for much longer.