"You don't have to be authenticated, you just have to be able to reach the router's web-based management portal."
And why would you have that visible remotely over a plain Internet connection, or indeed internally unless you're on an administrative VLAN?
It's the ridiculous logistical arrangements that companies decide to use that cause security problems, much more than the fact that someone may have found a small hole?
It's time we made systems that *ACTIVELY* prevented their poor implementation. Like refusing to expose administrative web consoles on any Internet-facing connection, enforcing administrative action only over a physical separated console cable (like we always used to do!), refusing to activate service until passwords have been changed from the default, etc.