this still is the device users/maintainers fault imo. THEY should implement basic security and best practices. Don't attribute to the vendor what the user should do.
What is happening here is downloading files from a router without the password. Over a port that normally doesn't even allow downloading those files.
I find it hard to believe that this is simply "a bug". There must be base functionality of downloading, and the bug is only that it can be done without authentication.
But the downloading functionality shouldn't even be there in the first place, in the model of "we keep all internals secret and the user can only use the config interfaces and API".
To me, it sounds more like a debugging feature accidentally left enabled, or a requirement from law enforcement they are not allowed to tell us about.
Don't attribute to malice what can be easily explained by incompetence. Even a basic buffer overflow or injection bug can allow full control of any networked device on the planet remotely. Security is hard.
Also, like normis said, it would be irresponsible for the manufacturer themselves to release further details of the exploit without a fix, especially when they themselves only discovered it from their customers (who btw, they have unusually not acknowledged) a few days ago.
The only problem here is a startling lack of defense in depth for security in the very core of RouterOS. The normal security assumption is that outer layers of security can always be penetrated, so further layers need to be present, and are normally even stronger. Instead of a good onion, Mikrotik have a coconut - great outer protection, but once you're in, you're IN.
indeed, newer ros version have some basic firewalling in place to prevent access like this, but still, security is everyone's problem, not only the manufacturer's imo