Many pieces of equipment or software come with built-in security features. “Vendor default security settings” means the ‘out of the box’ settings that these security features come with. For example, system administration or service accounts will ship from the manufacturer with a ‘default password’. These default accounts and passwords are published and well known, and so do NOT provide adequate security.