Prevalence of hardcoded credentials in IoT firmware

A lot of online ressources I’ve read about IoT hacking mention hardcoded credentials as a very common vulnerability in the firmware of IoT devices. However, it seems unlikely for a company with a bug bounty program to be so careless as to hardcode credentials in the firmware of their product - companies with bug bounty programs are security-minded. How common is it actually to find hardcoded passwords, private keys etc. when bug hunting on IoT programs?