Best answer by JeremyJ
If I understand you correctly, you describe you are seeing a false negative. You’re saying the check should give a failure but it does not.
I think there is a misunderstanding here. Based on your description I think this is working as designed.
The outcome of this check is not determined to be critical. If a default password is used the result given is an INFO.
Only a WARN or FAIL result should change the check status from green to something else, yellow for WARN or red for FAIL. An INFO result is intended to show green.
If you check the results, you should see an INFO note for components which still have a default password set. The details given from this check also link to the KB 6153 which describes the check and provdes methods for updating the passwords.