Why do people still run software from router vendors
To save the cost of buying a majority of shares in the router vendor in order to acquire its cryptographic code signing key and access to a relinkable version of the binary blob drivers required by its chipset. And that's assuming the router vendor's stock is even publicly traded. Or, less flippantly, to save the cost of replacing the router whose cryptographic code signing key and chipset driver source code are not available to end users with one whose are.
In addition, to save the cost of having to register and continue to renew the domain corresponding to the HTTPS certificate that the router's administration interface uses. The router vendor issues each router's stock firmware a certificate on a subdomain of the router vendor's domain. A user of custom firmware would have to bring his own fully qualified domain name (FQDN) in order to use Let's Encrypt.
Why is the router asking for a password? It should really be using public-key encryption and/or shared secrets, which are never seen by the user.
A password is a user-visible shared secret. Without a password, how does the owner of a router authenticate himself to the router as having the right to authorize the user authenticated by a particular public key to configure the router?