Routers are not firewalls
Home users and SOHO deployments use router / modem devices to interface easily with their broadband supplier. It's simple: you buy your broadband from your favourite network supplier and they send you a modem that you plug in to their socket and it's up and running: Robert is you mothers brother.
To try and then say that this is also a firewall is nonsense. The vast majority have extremely limited firewall capabilities. Many only support limited port forwarding.
And in the main, this should be fine. Little Johnny, playing call of duty, only needs a port open to the game server, which he opens. Little chance of hacking this line, and provided the network initialisation is such that the game can authenticate the game server, and the game server can check that the game is not a hacked version, all should be well.
Two problems remain:
The first is that the router people throw in a wifi hub for free. Oh, look, it's easy, I can use my [insert name of PC, tablet, smart phone, IoT device here]. And this is whats wrong. The user has sacrificed all security because they want easy access. Get the phone to open up some of its security (Yes, Android at the back, I'm talking to you here, and Windows, you can stop sneering as well) and then you have a real problem. It's not the router per se that is at fault, it's the users. Most will never even know that their internal network is now part of a botnet.
The second problem only comes when someone wants to open up the ports (email server, web server, etc) and run these at home. Then you need some sort of firewall capabilities. And some really hardened, trusted software for your server.
The final problem is the remote administration. WHY did anyone think that this was a smart thing to do on a cheap router? Unless it is protected by some form of 2FA, any supplier who sells their products with remote management even available, let alone enabled, should really be taken out and beaten with a club until they can understand the risks involved.