Re: How nice
Not everybody is willingly to spend hundreds of $ for an "enterprise" router, nor they would able to configure it themselves - thereby they are forced to rely on the ISP router and its configuration.
And not everybody has a spare PC running all the time (maybe making noise, consuming power and increasing fire risks), nor has the skill to configure it as a router and firewall.
That is true for AP as well - I spent some $$$$ to get one (which is only an AP) which allows to associate each SID to a different VLAN (and also spent some $$$$ for a managed switch to configure those VLANs - and the needed ACLs), for example the Sky decoder can access the Internet but can't access anything else (it's a PC inside my LAN I have no control about what it does... and it can also download software from its satellite connection....) I use WPA2 + Radius for authentication but for that SID used by devices who cant use WPA2 Enterprise (and thereby set to a restricted VLANs). But that's an "expensive" setup that also requires some expertise to put it all together (DHCP, DNS and RADIUS don't run on the router also, requiring another device to buy, setup and configure), well beyond the average user one.
Most will have a single SID AP, an unmanaged switch probably built into the AP or router (or the all-in-one device they use...) thereby they need to rely on the security of that single device - and because those devices are also more common, so integrated, and widely deployed, they are also a far better target for some criminal activities - but you can't really blame the user for not adopting what from his or her perspective are just too expensive and too complex setups, unsupported by their ISP.
After all we IT nerds need to trust someone else also in matters we have no expertise of. If the ISP rents routers, it and its supopliers need to take care of its security. As I do expect my bank to be secure because I can't setup my own....