The ironic thing is that WPA2-PSK is decently secure. I've not read of any significant breaks, assuming the key is of a decent length.
The problem is that there are shortcuts given (WPS) which make having a solid shared key pointless.
UPnP? Just asking for trouble. If a game has to have ports open, I'll manually open them myself. Otherwise, they should remain closed.
WEP? This shouldn't even be present in any router made in recent years. My HTC Wizard, circa 2006, had an application (before the word "app" was in common use on smartphones) to break WEP-protected Wi-Fi access points.
Open guest networks? No thanks. Guest networks with a WPA2 password that is turned off after a gathering? Possibly.
Remote admin? Nope. If I want this functionality, I'll have some sort of port knocking, a DMZ machine, and SSH with 2FA or via RSA keys to an inside machine to access the router.
MAC locking? Too much trouble than it is worth, especially when you get a new device. It adds little to security, but is a hassle. With a decent, 63 character, passphrase for the WEP key, assuming no device gets compromised, that will provide decent security, as far as I know.
DHCP is probably the only service I bother enabling because so many devices don't have the option for a static IP, or if configured, they can't be used on another SSID unless one manually flips the config back to dynamic IP addresses.
What would be nice would be a cross between WPA2-Enterprise and WPA2-PSK. This way, each device can have its own preshared key, without needing the complexity of RADIUS. Done right, the key can be shared to the device by typing it in, snapping a QR code, or many other ways, and if one device is sold, no need to change the key and have to reconfigure all the wireless devices on the segment.