"How many people will actually apply this firmware update? 90% of people plug their router in, hook their equipment up to it and leave it that way until it breaks, then they replace it."
This has broader applicability as well. No matter how much software people may wish otherwise, people treat their hardware like a black box and it makes no sense to them for it to be changing after the fact.
So you have massive vulnerabilities in just about anything ever shipped, because of the way software is developed. (There are other ways to develop, but essentially no one wants to hear about them, because they are slower.) Security depends on updates being applied quickly, yet this is always going to be problematic. Relying on the customer to apply an update (particularly one that has warnings about bricking your box on it) on time is ludicrous in most cases, yet any sort of automatic update system that does not rely on the user to make judgements is just another huge surface for vulnerabilities as well.
Put it all together and security is usually a bad joke.