If you subscribe to the idea that you shouldn't assume malice when stupidity suffices, maybe the programmer in question just saw somewhere that it's good practice to use a password on private keys, and didn't understand why you do it or how it helps.
Yeah that's another point for the "don't blame us because we're stupid" argument. They're actually so stupid that they use a password, that's stored in the same place as the cert. If they used any of the standard anti-reversing techniques, that would have implied enough sophistication to be expected to know how TLS certs work, thus enough sophistication to know to just generate new certs on first use. One would have expected Commodea to make this automatic for their poor stupid customers, however.
