"devices whose passwords they could guess"

nothing new about that .. obvious way to prevent that would be to make sure the user knows they should change it.

if theres a display, they could insist on it on forst use .. and either way put more prominant notices on documentation (big enough to read which seems to be rare these days for anything), on the case and wherever else.. something to make sure the user knows its important!

its a case where just a tiny bit of user education could go a long way ...

that would be a sensible way ..

Anthing trying to use problems related to a lack of user education as an excuse to inject backend services the user doesn't know abot or trust (ie a possible new attack vector in itself) would be suggesting a VERY BAD IDEA with obvious and serious security and privacy implications (as bad as or even worse than the current problems)

its user education that is needed .. and not even that much of it.

thats the REAL problem.