...ignored upgrading because they thought their router wasn't classified as "unsecured"...
Any port open to public networks is unsecure! The point is if port is closed by firewall or by disabling service then it is considered secure.
That is only the situation after it went wrong. In fact I always configured my equipment like that and carried it forward into MikroTik
equipment configuration, but there could be many users who believe that a service listening on an open port and fitted with authentication
is "secure" too. Unless the attacker knows the password they can't get in, right?
Of course others have become victim of that when there turned out to be bugs in the service handling the request
(remember logging in to systems by entering the username -froot instead of root because -f meant "no need to authenticate this login"?)
and now the general stance is that a service cannot be trusted no matter if it does authentication or not, you need to lock the attackers
out of the service before they attempt authentication.
But as you know, there is a very big group of users of your equipment in countries where there apparently is a market for wireless last mile
internet access, technical development in general is a bit back compared to other countries, but there are bright guys with no money who
don't mind to hack the system to get the access they want. The operators usually have little networking and security knowledge and they
deploy more or less default configurations and/or follow guidelines for setup they find on youtube (before consulting your own documentation).
These networks are hacked all the time because the security mechanisms are not well configured, or simply are not up to the task of
really providing security as opposed to holding back some nosey people who have no real interest in cracking the system.
This is partly because of the availability of vulnerabilities like the last two big ones, partly because of naive approach to security,
and some of that is of course part of the standards that are being used. A system like hotspot really cannot withstand any serious attack,
but it is likely not so easy do do much better.