“allow Admin users to circumvent access controls”
That's some highly questionable phrasing. Admin users define the access controls (by design) so obviously they can change them[1]. Calling that "circumvention" seems a bit of a reach.
Shipping with weak default credentials is a valid observation, but also common practice. If you are going to ship a device with any standardized default credentials then it makes no difference how complicated they are because anyone can read your website.
[1] I'm familiar with (wrote) an app for a similar system that uses admin access to issue/revoke ACLs every 20 seconds.