While I agree that adding HTTPS provides no additional security over HTTP if the web UI has no password I don’t think you can compare this to SSH with a default user/password.
There is an order of magnitude more risk in having SSH access open with a default user/password than there is a web interface open with no username/password (or indeed with a default username/password). SSH access (particularly if that also gives root access) can be used to do a lot of damage to the system, install software, rootkits, and many other things, etc.
The (first run) web interface on the other hand is a wall gardened set of functionality and therefor a lower risk and that is what security is all about. It is impossible to have a totally secure system. Security is always a matter of managing the risks so I think it is absolutely right that as a step to making the whole system more secure, knocking off the an easy win, high risk item is a positive move.