Having an IoT device with security vulnerabilities does not automatically make you vulnerable to botnets because it’s behind your router’s NAT under normal conditions.

Botnet infections occur primarily through one of two ways: Vulnerable devices exposed directly to the Internet, or app downloads and installs on persons computing devices.

The TV box appears to be a rare hardware version of convincing someone to bring something into their network that compromises it. Usually it’s a software package that they’re convinced to install which brings along the botnet infection

Regardless, it’s a weird and dangerous mentality to believe that being part of a botnet is a “who cares” level of concern. Having criminal traffic originate from your network is a problem, but they might also decide to exploit other vulnerabilities some day and start extracting even more from your internal network.

Nope, many IoT devices open ports via UPnP. The biggest botnets are composed of (among other things) smart plugs, baby monitors, doorbells, IP cameras...