Because passwords are no longer stored in the workunit, or cached by ESP, they are not available to send in SOAPCALLs. So, it a 7.x engine uses SOAPCALL to call a 6.X ESP, the credentials are no longer sent and the call will fail. The user MUST specify credentials in the SOAPCALL URL in order to succeed. When 7.x engine calls a 7.x ESP, this all works because a secret workunit token is passed to the ESP.
So, the statement "The default username/password are those contained in the workunit" is no longer valid if calling to legacy ESP. This should also be documented as a known limitation, or a security improvement