As far as vulnerability assessment goes, I liked Nessus Professional when we tried it out but I can't recall if it attempts credentials. Qualys has a great VA tool but quite expensive. Come to think of it, most windows based VA tools are expensive but a lot less expensive than hiring someone. You can use their reporting features to show with followup scans that vulnerability remediation is being aggressively pursued (which is what our MSP is planning to do). I am trying to think of the catch for scanning for default passwords, something like accompanying public keys for SSH or domain credentials to check LDAP.. If you find a suitable solution lemme know because I am interested especially if it doesn't cost as much as a car per year.
Oh I just remembered, we have been using a Netwrix tool for password compliance with domain accounts. I don't know if it will do IoT. The qualys software did check Cisco devices for common passwords.