I have mixed feelings about the message "no updates -> vulnerable". The vulnerabilities have been in these devices all along. Some techniques for uncovering them got better over time, but I would guess not substantially. So why should abandoned hardware be any riskier than a brand new router, whose vulnerabilities haven't yet been discovered?

If they support OpenWRT or similar, fair enough - maturity does bring some additional safety. But in general this is not the case. Or am I missing something?

> So why should abandoned hardware be any riskier than a brand new router, whose vulnerabilities haven't yet been discovered?

The time value of money is at play here. Vulnerability researchers are either black hats or they are something else. Most folks who research vulns don’t exploit devices they don’t own, and those who do are mostly black hats. Most folks with the skills to be black hats if they so desired definitionally have the “skills to pay the bills” but they may be using them in the legal market, so they would need a large return on the time invested, as well as a premium for doing illegal things due to the downside risk of being caught.

Vulnerabilities that can be exploited pay more than hypothetical ones, so proof of concept is worth less than a fully operationalized exploit chain. The larger the install base, the larger the pool of vulnerable target devices, and the larger the payout to the researcher.

A bird in the hand is worth two in the bush because the sure thing is worth more than uncertainly. A demonstrated capability that exploits a vulnerability in a widely distributed device is worth more because it does more than a hypothetical vulnerability in a brand new device that doesn’t already have market penetration or saturation.