botched protocol implementation X hard coded creds
.TBF the fall back in the MAC implementation could be an "At implementers discretion" choice.
The hard coded creds? This design pattern needs to be burned out of every devs toolkit. The "theoretical" simplicity of the security has demonstrated failure over and over again.