We have 200+ cameras, 7 NVR servers (soon to be 8), multiple workstations on a private VLAN and do not use the manufacturer default for any password. We use a fairly long and complex single password for all cameras with the exception of one manufacturer's devices which only allows 8 characters. Our password for those is complex, however. On the cameras that have a built-in viewer and/or user account that cannot be deleted, we change that password to be the same as the administrative password.
For us, only admins are authorized to change camera settings. The admin password is known by only two people, and if one of us leaves someone will spend a day changing passwords. We do the same with the admin accounts for our VMS application, servers, and workstations.
We do not consider this a security vulnerability any more than a domain administrator would consider the domain admin password a vulnerability. It does, however, require that we be diligent in protecting that password. If someone (e.g., integrator/installer) needs access to a device's settings we allow it only through the VMS and they are given a temporary user account that is strictly limited to the specific device(s) they need access to. If the VMS can't access the particular camera settings then we do the configuration with input from the integrator/installer.
Our camera VLAN is private and cannot be seen from outside our network and from only a select few other VLANs on that network. We consider the risk of hacking very low. Not zero, but low.