Of course it would be cooler if only small badges of devices had the same cert, or if you even would go through the hassle to make individual ones.
Going through this hassle is exactly what is typically done. It is not uncommon for the initial - or post reset - boot of a router to take significantly longer then subsequent boots. This is when the router generates the public / private key combination. I suppose that the manufacturers are bypassing this to simplify support. Alternatively, they are truly incompetent and simply flashing the devices with a firmware that already contains the certificate. But each device should have a different serial number which should invalidate a copied certificate. So they must be going out of their way to facilitate a common certificate. Possibly they disabled verification against the serial number?
Regardless of why or how they are doing it, a common certificate indicates a common private key. With that private key you can decode the shared AES (or DES) key and subsequently decode all network traffic. The key will be stored in FLASH memory and can be accessed via JTAG connection.