Most of those vulns were relatively recent probably well after the device design project was finished and closed down.
On going testing was probably never considered or rejected as an unnecessary expense. Ususal device MO, build release to the wild and then do your best to forget.
The company involved has actually acted better than 90% of other by talking to the discoverer and fixing the vulns before a controlled disclosure. TBH they should get some praise for being responsible and dealing with their initial failings not just going into full denial.