"because the routers are end-of-life, the vendor no longer issues security updates"
Router manufacturers seems to get away with only patching the equipment they make for a very short time. In my experience home routers may get one or two updates in the first 18 months and then nothing. Cisco is a bit better with company equipment but they absolutely know about vulnerabilities in older equipment and do not push updates because it would be bad for business. They have to share some blame for their equipment being used in this way. I know the equipment owners should know this.
If I remember correctly Microsoft issued an update for Windows XP five years after it went out of support because it was a bad one being actively exploited.It would be nice to see Cisco doing the same.