It would be smart for all manufacturers and software vendors to have a complex password policy by default (like Microsoft). If you want to disable the complex password policy, then you should ideally be forced to find the setting and disable it (again, like Microsoft).
That being said, as long as it is reasonably unlikely that the device can be compromised through any enabled-by-default interface with or without the web interface's administrative login, it should not matter if the web interface uses default credentials. Hopefully the web-based credentials are not the same as the root user account on the device...
Still, regardless of the liklihood that priviledge escalation or remote code execution will be possible by compromising the web interface, the attack surface grows once you have administrative access to the web interface, so having unique and complex passwords would obviously be ideal.
The risk of enforcing complex passwords is that the passwords are lost/forgotten or written down in a public place. These are controllable though, and the benefits outweigh the risk.