IDK, if someone kept changing the table names in my DB every week I'd probably throw a password on it, even if I were really lazy. Most of these people probably didn't realize their DBs were unsecured, and that gets the point across quickly (particularly if the new table names are chosen instructively).

That sounds reasonable, but you'd think most people would also be concerned about their databases being publicly accessible in the first place, yet here we are.

I don't think this is the case of people not being concerned, but simply the ignorance on their part about the setup. People just presume that the defaults are safe, and never bother getting into the details.

At the risk of arguing "no true Scotsman," someone who is concerned about security likely wouldn't make assumptions about defaults. Or rather, someone appropriately paranoid about security concerns would not trust defaults without at least reviewing them.

Not everyone feels comfortable and/or knowledgeable enough to review the settings. What they really should do is to hire an admin/devops consultant, but for so many projects it's just not a realistic expectation. That's why I put all the blame on developers who chose to publish the software that's unsafe by the default. It's done on purpose for marketing/sales reasons, to make onboarding faster and easier and get as many users as possible with "simple to start using" service, at the cost of putting users in danger later on.

Someone who’s a bit more lazy might just switch their db from default port and assume all is good!

Which is precisely why it is ok for me to enter your unsecured garage window and slash all your tires.