Maybe the 3rd party sellers are stuck with the inventory. They acquired it before the problem was known, or that it was known the manufacturer would not fix. They are stuck with it if they cannot sell it to someone stupid enough to buy it.
I have some sympathy for the third party sellers.
I have no sympathy for the manufacturer who could fix it, especially since it is a defect that never should have been.
If manufacturers had perpetual liability for unfixed IoT crap, then the world would be a lot more secure place. They would plan their development better, knowing they might need to produce patches for a long time. They would plan their design to be more secure in the first place. And maybe, just maybe, they might all get together and work together on a common Linux for router type products that shares a lot of the security work, and its cost among all of the participants.