The great home network
Unfortunately, as you have already said, many people do not upgrade a single component. But who can blame them? For years they have been sold the promise of devices that just work with minimum configuration and so much of the blame is with the manufacturers. To be honest, most home users would likely screw up an upgrade anyhow - impatience causing them to turn things off etc as well as some devices having less than stellar interfaces.
I'm with the other vendor whose attitude is predominantly to force an upgrade on you. To be honest I cannot blame them as supporting multiple versions is a lot of work and encourages people to stick where they are thus cementing the problem in. You pay your money you take your choice. However, whilst this is fine in the home environment I don't think they would be able to sustain this in the SMB sector with their higher end gear. Not owning any of the rack kit I cannot say what their attitude is there. I am fine with upgrading to the latest and greatest after a few weeks so that any issues can emerge - been bitten far too many times by early adopter eagerness (which can leave you as a beta tester with some companies) to do otherwise. I wasn't too impressed with their fix which took too long (in my opinion) to release given they only did a recompile with a change to a switch.
When the openssl issues emerged the first thing I did was to close all ports maps on the router and leave nothing exposed. It was a pain in the arse but with heartbleed you just knew a script kiddy would get you with a port scan. I looked at my logs as soon as the fault was reported and witnessed scanning occurring from Rackspace hosted boxes in the US - that's when services were shutdown quicksmart.
After this episode I've now brought everything back with only SSH passed through and all other access via openvpn with an up to date install of Gargoyle on my home router.
Going forward there is a clear issue here - as these devices become more feature rich (with more attack vectors) and more accessible to your average user we are now left with a situation where, just like with the dreaded Adobe flash/reader pairing, these things need to self update unless told otherwise because the owner just won't be doing it and we don't want to be left with our data being scanned by someones convenience kit. As for the IoT, internet connected fridges and the like can kiss my arse because they will never have a place on my network.