For years, every decent netadmin has had to log onto every new HP printer and greatly reduce its attack surface (or deploy an image to it): Put a password on its admin interface, disable all the unused protocols (obscure/unneeded printing and communication protocols, including FTP and telnet), disable public Internet access, require HTTPS for the web interface (if you are using it), etc.