It’s been a long time since I had cable but at the time I bought a modem because I could get a really good one and not paying the cable company’s rental fee for a modem, it paid for itself in about a year or so. I seem to remember that the cable company still took control of updating firmware and such on it, though, to maintain compatibility. So I don’t know if it buys you much from a security standpoint, but that’s also an area where I have no expertise.
In a choice between thinking that a vending machine company put facial recognition technology into a vending machine or prankster students hacked the device to display a suspicious error message I would suspect the latter is the case.
However, watching the video and looking at the brochures on the manufacturer’s website, it looks like the manufacturer did indeed put rudimentary facial recognition in so they could gather demographic information on their customers like gender and approximate age for marketing purposes. Maybe the hole was damaged by curious students?