I'm assuming you're also disappointed that nearly every wifi router on the planet is sold with a well known default username and password, such as 'admin' and 'password' ? I hope you're contacting them too.
You're aware that changing the ssh password or disabling ssh is one of the choices given to you through the user interface during the initial boot of the system ? It's right there on the screen, you don't need to log in with ssh to change the ssh password.
But seriously, who is going to try to hack into your device that is connected on your private LAN in the couple of minutes that you are going through the walkthrough ? If you have connected your device such that it has a publicly addressable IP address or has ssh port forwarded through (both strongly discouraged) then silly you.
There's a good reason why ssh is enabled by default on a new install until the user turns it off. (If they choose to) It's for troubleshooting purposes - without ssh its impossible to troubleshoot some problems such as a new install where no picture appears on a TV. If ssh was off by default it would be nearly impossible to troubleshoot a wide variety of problems that can currently be solved via ssh.
You can't be serious can you ? Have you ever heard of dictionary attacks ?
Not really any need for this is there ?
Except it does inconvenience users, the first time they run into a problem that either causes no picture on their screen or requires a command line to troubleshoot or fix (for example kodi stuck in a sad face loop) - then they are stuck without being able to use ssh.
By the way, this debate has already been beaten to death here:
We have already added a page to the initial walkthrough that advises the user of the presence of an ssh server and gives them the chance to turn it off or change the password.
As users should not be putting their mediacenter devices on publicly accessible IP addresses or port forwarding to ssh without changing the password, we feel that this is the right balance between security and convenience to the user, so we are not planning to have ssh be off by default or using a random password.