Re: A few at fault here
Quite simple, the need for port '5004-5060' to be open to allow connection is irrelevant; if you lockdown all incoming connections, it should lock them down. If a user then needs it to be open to allow SIP it’s up to them to open it up. Or is that too simple?
As for BT, I think a simple amendment of the firmware would've resolved this. Surely offering 'All incoming connections will be refused EXCEPT 5060 for VOIP purposes' with another option beneath stating 'Block all connections INCLUDING 5060 (this prevents VOIP working)' would suffice. Or specifiy a port for VOIP (blank means no VOIP). You know, user choice.
Other than that glaring flaw in your post, I thought the rest of it was alright. The question that needs to be answered though is if the account was set up as business or domestic; that'll put the blame of the HH5a router being used squarely with BT or the firm.