Re: Hardcoded passwords...
It's almost unavoidable to have a hardcoded password for the root / system / superuser but it's easy to render it unusable. Best practice is to set the root password to a very long, randomly generated string, store the salt / has passwd file into a read-only firmware partition and completely forget what the password ever was. Also disable root login or change the login shell to some null operation.
Then nobody can obtain access to root. Not the devs, not the service engineers, not the user, not the application software, not hackers.