That blurb from the VAPIX doc is good info. I will keep that in mind.
Recently I have done some work installing Axis dome cameras using a handheld Axis T8414 viewer. The cameras were out-of-the-box new, and did reject any password other than "pass" when calling up live video with the viewer (before any configuration was done). As far as I understand the viewer uses both HTTP for VAPIX (tell camera to focus, pan, etc) and RTSP/RTP to provide video.
I played around with this today, and reread that portion of the authentication paper you referenced. Careful reading of what you quote above says that the client (VMS) is trusted to add proper credentials, not that it is trusted to access the camera. This means that if you do not configure the camera manually, the burden of security lies with the VMS.
Quick rant on this:
I had a Q3505 in from repair today and tried this out after ensuring the camera was defaulted. In order to use VAPIX (via HTTP) or request a video stream via RTSP, username "root" with password "pass" must be given. But those methods do not force you to change the default password like accessing the camera web page does.
This is unavoidable by design, not a bad thing. There is no way tell a VMS "you must change the password first". You can do that to a human, but it is probably the case that all the relevant protocols (RTSP, ONVIF, VAPIX) have no way of handling this.
Sure, Axis could make VAPIX do this since it is their API, but that would probably break a lot of VMS features (auto-discovery, parameter listing, etc) during configuration, and would require VMS manufacturers to change their camera enrollment procedures just for Axis cameras.
Axis has made a best effort to get users to change the default password by requiring it when accessing the camera. It would be nice if VMS manufacturers followed the same practice and provided an option to change default camera credentials.