Running your own firmware is not a security problem, it's an essential right you have
The problem in this case was that you could change the firmware without being physically at the device. A simple button, or in fact a timer that only allows firmware updates for the first n minutes after booting would have solved that problem.
Of course this is an easy find. Just look at the firmware images, take them apart and change them before putting them together again. Installing the cross compiler to make your own binaries to put into that image is more complicated than that. Many people who want to start a carrier in security or who want to promote their security outfit just bring that out purely for promotion. That would be perfectly al right if it wouldn't set the idea into peoples mind that running your own firmware is a security risk.
Let me put it in another way. What they did is to change the firmware and remove the update function. A legitimate user might do exactly the same. First remove all the junk from the firmware you don't want (i.e. the calling home functions) then remove the update function so nobody would install the less secure vendor provided version again. Removing functionality is relatively easy and it can bring you a great security benefit.