They added a password to the private key which they didn't have to, so it's not true that they didn't attempt to obfuscate it at all. In practice that only bought them a couple of hours at most, but why add a password unless you're trying to stop people from using it?
If you subscribe to the idea that you shouldn't assume malice when stupidity suffices, maybe the programmer in question just saw somewhere that it's good practice to use a password on private keys, and didn't understand why you do it or how it helps.
Yeah that's another point for the "don't blame us because we're stupid" argument. They're actually so stupid that they use a password, that's stored in the same place as the cert. If they used any of the standard anti-reversing techniques, that would have implied enough sophistication to be expected to know how TLS certs work, thus enough sophistication to know to just generate new certs on first use. One would have expected Commodea to make this automatic for their poor stupid customers, however.
