If you want to know just how bad it can be when software suppliers get their security wrong, look no further than this advisory from the FDA.
There appears to be a remote exploit against medical drug infusion pumps, potentially allowing an attacker to change the drug dosage. While there are no reports of any actual attacks against this exploit, it could obviously have extremely serious consequences. It’s the Hospira Symbiq Infustion System, so you don’t need to worry (this time) unless or your hospital you use one of those devices.
It seems to be the result of schoolboy security errors. The advisory recommends closing the FTP and Telnet ports. Networked medical devices should under no circumstances be programmed to accept FTP or Telnet connections. They also advise changing the default passwords — the device should not function until the default password has been changed. Such mistakes may be forgivable on some networked devices, but no on medical devices.