Well that's fine for the providers, then, but what of the models that can apparently end up in a home ?
The article states specifically that some vulnerable models can end up there.
More than likely. The whole point is to manage the CPE B-NT (typically your xDSL router) remotely.
This is nothing new. This has been reported for many years. Worst offenders are (or were) using only HTTP and not even encrypting, so not validating certificates is more of a minor offense.
I think the vendor should fix the firmware to validate certificates regardless of whether any provider requests it or not.
I've always turned TR-069 off as I don't want the provider to go mucking with configuration or push firmwares without me knowing and potentially breaking something. Of course it depends on the provider whether that is an option or not.
It's not that bad a system if implemented properly, but with money and least effort often winning over doing it right how often is that likely to happen.
TR-069 in case anyone is interested and too lazy to find it themselves.