Absolutely. If software needs configuration before it is secure than the default behavior should be to throw an error while starting up with a link to the documentation for configuration. The default should NEVER be to just start up unsecured.
I believe more of the blame should be put onto markets that provide images with insecure settings as MongoDB doesn't bind to the public interface by default and hasn't done so for years.
Which is true for most popular systems, which I appreciate. I need to consciously decide to put something on an externally accessible port, which reminds me that it's time to make sure everything is secure (TLS, authentication, user privileges, etc).
Did MySQL let you connect to instance from remote without password like ever? I used it first time like 16-17 years ago and don't remember anything like that.
PS: And yeah I remember that famous password bypass bug from 2012, but that's all.
MySQL's "security model" used to be that it only bound to 127.0.0.1, but beyond that there was no passwords. I may be recalling incorrectly, but root did have access via `%` on most systems I used.
I'm not sure if the reason MySQL was open with no password is MySQL's fault or the various distribution packagers, they have a lot of say in how its ultimately configured, but it wasn't a good look.
I really can't recall if / when it's changed, but for many years you just wouldn't be able to connect to MySQL as root unless you set the password. Also if someone have access to your localhost it's almost always mean you're already in trouble no matter how well database configured.
MongoDB shares some of the blame here. Software needs be secure by default.