Nothing is safe!
Whether you're Cisco, Juniper, Mikrotik, Microsoft or Apple - Humans are writing code and we all get it wrong. I've read the topic through and I do think Mikrotik could do more (later) but I think some posters have taken a base config of a Mikrotik device, put it in production (possibly across their entire estate) and then carried on with their next task and not really paid much attention to keeping that estate 'live' and current. Acknowledge Mikrotik - once these disclosures hit they're not scrambling to release fixes - they're already done, there are so many vendors out there who don't even have patches for vulnerabilities or that will charge you the earth to stay subscribed just so you can download patches for stuff you paid for in the first place.
Anyway
1. Always change the default password
2. Change the default username
3. Stop services you don't use (SSH, Telnet, API, API-SSL) etc. IP->Services
3a. Neighbors
3b. Bandwidth Test
3c DNS remote requests
3d etc.
4. For the services you do use, move them to a non-standard ports : HTTP : 20080, Winbox 20081, etc
5. Consider stopping anything that is insecure (http, API, FTP, etc)
6. Put some default rules in for input->block, forward->block and then work back from there with allow rules
7. Implement a port-knocking system for the ports you do use
8. Don't treat this as an exhaustive list!
9. Once you've got a great config then do an 'Export file=MyDefaultConfig' and apply it to everything going forwards, improving as you go
There are lots of resources out there for hardening *all* firewalls and they start off like the above. There are further resources out there for Mikrotik.
I think if you're going to have a lot of devices out there that you manage then you need to have started with some of the above in mind. If you want a good starter document then look at the PCI compliance SAQ D form - this is a big long list of things you would do to harden your network against credit card theft but a lot of it is good practice if you want to secure your network in general.
Mikrotik have offered : if you're unsure about activity on your device, email them, they'll look into it. I bet you they'll do that whether you have proof of ownership or not, how many other vendors will do that for you.
@Mikrotik - Netinstall is hard work. Pressing that stiff button on 500 devices and uploading a default config can be hit and miss. Lots of tutorials out there bout disabling network cards and such just to make it work, can we improve this ?
@Mikrotik - A custom repository option for upgrades would be great.
@Mikrotik - If you don't already list CVEs addressed in the changelog files then that would help us
I know that's probably not a massive help but security is a never-ending process these days!