"Latest generation" = last 2 years. Three years ago I was buying SMC servers which were the first round configured with randomized passwords to comply with CA law (some batches had ADMIN/ADMIN) and gigabyte servers still were out of compliance.

I bought my last batch of Dell machines in 2017 (so, 5 years? wow), and they had randomised passwords.

But yes, some providers put the BMC on the internet because it's easier, a provider I used once did this and I was quite displeased as iDRAC's are quite weak and suffer under the weight of bot-spam. -- even if there were no security issues.

For whatever reason you can still today choose the legacy "root:calvin" password when you order new Dell servers, probably does more harm than good: https://www.dell.com/en-us/work/lp/hmc-idrac-password-14g

Probably to work with auto provisioning automation.

It’s nice to slide in a server, watch as the arps/dhcp requests go out and see the machine spring to life without human intervention.

Easier if there’s a known username/password.

It is possible not every gets this option from Dell but one can get a text file that has all the MAC addresses and programmed passwords for the dracs from them. Ask your rep how to get this. One can potentially use this information in their automation. The list has serial numbers, eth macs, ilo mac, password, model, etc...

HP Microserver Gen8 with iLO from 2014 also had generated admin password.

HP DL 380 G6 and G7 had back in 2010, maybe before I think. At least the ones I worked with.

It was printed on a slide out tag.

Some earlier generations had paper/cardboard tags tied to them I think but I cannot remember if passwords were there.

As far as I can remember, HP has always randomized the default iLO password. ProLiants used to come with a "toe tag" (little card attached to rack mount server by string) that had the iLO MAC, iLO hostname, default username and default password. Newer ProLiants put it on a sticker on the server itself or on a pull-out tab.