Default passwords etc
Personally I think 'default' passwords, admin and WiFi (and SSIDs) shouldn't even exist.
Part of the initial set up should be to force the user to log into the router/modem and put these details in themselves, with minimum standards on the complexity etc.
Even with an issue these days being that not everyone has an Ethernet enabled device, that could still be handled.
A possible option could be to have an initial, default but restricted Wifi SSID and password (and possibly a restricted Ethernet), restricted to a DMZ that only allows access to the routers admin page, and not the Internet itself.
So the user connect to new shiny router, with <any device with WiFi/Ethernet and a web browser>. And if via WiFi, uses the initial 'temp' SSID and password.
User is presented with a simple configuration web page (irrespective of what URL they typed in), that forces the user to set up a new admin password for the router, and then a new WiFi SSID and password (or to disable the WiFi if they don't want to use it).
The router doesn't enable Internet access until these steps have been completed.
If you only put in the new admin password, and don't change the WiFi SSID and password, then only Ethernet get Internet access, with any WiFi connections still being DMZ restricted to the router admin page.