1. - routers have mainly solved this by having a unique, random password which is provided on a sticker on the device.
Other than that, these are really good.
I'd add something to address the problem of manufacturers going bust and then all their devices becoming paperweights. Perhaps:
6. it should be possible for the user to install their own firmware / updates. Optionally at the cost of losing guarantee and access to future manufacturer provided updates.
Routers are decently large , generally have enclosures, and are meant to be placed in a reasonably accesible position for those who should have access to them while at the same time out of sight for those unauthorized, which makes putting a sticker on it, keeping it there, and having the right people read it when needed is trivial.
Some IoT devices could be handled the same way, but there are plenty of reasonable IoT applications where a password written on the device is impractical or a security risk.
Sticker in the box / on the user manual could probably solve those cases. The problem with requiring a setup phase is that that means you're shipping it in a vulnerable state.
I recall Dell and HP servers at least used to come with a hang tag attached that listed the random initial firmware password. It doesn't need to be a permanent part of the device -- though you do risk losing the hang tag.
Other than that, these are really good.
I'd add something to address the problem of manufacturers going bust and then all their devices becoming paperweights. Perhaps:
6. it should be possible for the user to install their own firmware / updates. Optionally at the cost of losing guarantee and access to future manufacturer provided updates.