Re: Real risk ?
Having had the pleasure of an ISP-supplied ZTE router, I can believe the warnings.
An earlier firmware version had an exploit on the tr-069 port which the ISP enables so their customer service droid can press a button and reset everything to factory settings to make their lives easier. The answer to any problem is now reset and I'll do it for you in case you don't know how to insert the paperclip in the hole and keep it there for 10 seconds. You had a LAN nicely set up? Own SSID or wifi password? Disabled WPS? Why would you want to do that?
Going online with this version got your router pwned within seconds, the settings were changed so http was enabled on the WAN side and it was now part of a botnet, sort of similar to going online with the original Windows XP.
The fix the ISP pushed out patched the tr-069 exploit, but still left the http port enabled so it was still part of the botnet.
Luckily they're so full of holes that you can run exploit programs to lift the settings out of them and change to another router.