To prevent people from creating configurations readily available for trivial brute force, we should disallow default passwords at installation and set time. The best way to do it is probably a set-time validator.
We shouldn't prevent configs with those passwords from loading.
I think a warning is better than to block it from being set, specially since the workaround to load it through already existing config still remains.
VyOS is not only used in production but also in education and labs etc where a complex password is NOT needed.
The validator could still test for a "good password" (aka password strength) according to some standard that it contains lowercase letters, uppercase letters, numbers, special characters, x number of characters and whatelse thats popular to check for.
https://en.wikipedia.org/wiki/Password_strength
https://pages.nist.gov/800-63-3/
Other things to implement at the same time is to add delays for each attempt. Like the 3 first attempts have no delays (like 1 second) but after that the delay is doubled for each attempt.