In China a large number of devices connect to the internet using PPoE. because China Mobile, China Telecom both use this as an account service authentication.
That you can use on multiple devices, all having PPoE.
So you can say it's quite indeed possible many devices are not even with a router. exposing NVR / DVR / IPC to a lot of nasty stuff!
When you are talking going back several years of many devices used for businesses, could amount to a lot of in-secure units about!
Router which I have come across in China from internet operators are very poor quality, cheap and very basic units, lacking a great deal security.
Newer offering are somewhat better, but the internet installers recommended to use TP-Link naturally as a home grown product, and also because the internet installation they get working for you.
However even TP-Link models sold in domestic market are cheaper models than the international exported variations. So only having one language, and no English version for firmware updates.
This could be why a lot of easy to find devices used as BotNet are located in China.
Most history if not all DVRs for old, which are still a lot, would use the local network offing little in way of security.
NOTICE: This comment was moved from an existing discussion: Dahua Says They Are Botnet Attack 'Victims'