
.In what sense? No management interface of any device should be directly exposed to internet; the default firewall rules of SOHO models of Mikrotik ensure that. To avoid sending usernames across the network (even LAN) in plaintext, you can disable the http, telnet and api management interfaces completely and allow only ones from the (api-ssl, ssh, https, Winbox) list, all of which send data encrypted; for https and api-ssl, you have to install a certificate first.
The target audience of the large models that come with no default configuration is supposed to be capable of configuring them properly before connecting them to the network.
So can you be more specific whether your post is a question what should you do or a suggestion what should Mikrotik developers do?
I got this picture from the internet. My router is up to dateROS 7.0beta3 ??
That's ... over 4 years old ? That version was released 2019-10-22.
Security step 1 already omitted.