I’ve even seen this among quite clued-up users, and even a few corporate networks.
Let me explain why this is a bad idea: there’s now a breed of mobile app (usually deliberately installed, but sometimes running as malware) that sits there scanning for open wireless networks, checking the router manufacturer (trivially easy to work out from the MAC address) and then changing the router’s password.
The more technically-minded might know that the vast majority of routers will be secured using WPA2, or even WPA or WEP, which aren’t particularly secure. You’re right, but the fact is some people leave their networks open, either through ignorance (not understanding complex web interfaces), deliberately (for example, in a pub or hotel for guests), or by accident. I’m supposed to know what I’m doing, but on more than one occasion I’ve made a config error that left a router wide open.
Of course, any of these situations raises security questions, but with this new breed of app deliberately looking to sabotage your router, things have become worse. While right now these apps are only trying to change the router password, who’s to say that future versions won’t configure them to pass all traffic though a password-stealing proxy, or install fake DNS records that direct online banking users to a phishing site.
The possibilities here are endless - so please, as well as setting a secure WPA2 password, change your router’s admin password to something secure.