I have worked in environments where some folks do hardcode passwords into application, regardless of the warnings, begging, wringing of hands, etc. They believe they know better and that THEY WILL NEVER be a target.
It is unfortunate that this happens throughout IT/OT/ICS, etc.
When found by auditors, there is always a promise to change but as soon as the auditors are out of ear shot.....guess what it happens again and they hard code the password once again.
Would love to hear how others have handled this in the past