How to address bad password security policy from a large company?

If they process payments via credit card, they must maintain PCI-DSS compliance. You could always report a violation. They could potentially send an auditor and insist on remediations. The whole process would take probably a year or more. It would not surprise me if they are already working on it, assuming you have found a bona fide issue.

If a company sends you your login details in plain text, either your existing one or a new one you can publicly shame them.

Plain Text Offenders is a site on which you can post their stupidity by simply submitting a screenshot of the offending email. Be careful to blank out any sensitive details. It is a site worth keeping an eye on, so you know which companies to avoid using.

It appears that Western Digital does not have a security team you can directly contact about vulnerabilities. In fact, I found a post on their support site specifically asking why there was no email address or PGP key to use for vulnerabilities and no one from WD responded.

What I did find is that someone said they needed to report a vulnerability and a support person responded that he would private message the person. I suggest you do likewise.