These days telnet comes wrapped in SSL, so it's totally possible to use it securely. I prefer public keys and almost never use telnet, but SSL telnet should be just as secure as password SSH.
What's the point of SSL telnetd, because one could just use ssh? You still have to bring in some heavy crypto libraries (openssl) so 'telnets' isn't any more lightweight solution either. The only reason I can think of is some corporate policy that dictates the use of telnet, and for some reason SSL is approved but ssh, that hacking tool, isn't.
For instance...with an SSH client, the first time you contact a new server you're asked to verify the remote host's identity. I bet most of us just blindly type 'y' at this point despite the security implications. On the other hand, with SSL, you can have the server cert signed by a CA the client trusts.
SSH was actively replacing telnet in the late 90's already in any decent institution. At universities it was pretty much the standard. (At least on my side of the globe.)
For those who don’t know, “popcon” is short for Debian Popularity Contest, a project that collects stats about the usage of Debian packages from users who have installed the optional popcon package.
There are also a fair number of soho [wireless] routers with telnet enabled by default.
I guess that's partly due to memory footprint, or assumed memory footprint (dropbear being fairly small), by the manufacturers, and partly due to windows not having a ssh client by default, whereas every major OS comes with a telnet client.
According to comments on Colin's message, all BSDs as the bug has been there for years. OpenBSD doesn't have telnetd in its base distribution (and I currently don't have access to my OpenBSD server to check on the ports).
