Yes, this is pretty standard, even in military contexts.

For example, military aircraft ACARS communications are often entirely in plaintext, and don't forget the famous "Predator drone video feed intercepted via $26 software" incident: https://www.wsj.com/articles/SB126102247889095011

However, that's only the data they forward, and this can be more or less trivially fixed at several layers, since many of these communication satellites are just "bent pipes" that often don't even digitally demodulate what they receive before frequency-shifting and rebroadcasting it.

Authentication is a bit more challenging; interesting things can happen even when traffic itself is encrypted, such as Brazilean truckers using your expensive military communications satellite as a football chat room: https://www.wired.com/2009/04/fleetcom/

Beyond payload encryption/authentication, satellite operational commands (e.g. engine and inertia wheel control, power management etc.) should have been encrypted for decades, though (and are one of the few explicitly carved out exemptions to otherwise strict "no encryption on amateur radio bands" regulations), so these claims about "software kill commands" seems very worrying.