my modem/router is 'telco property'
and my newest device has an unknown amount of admin accounts on the WAN side. so I turn off its Wi-Fi/remove antenna & use its capacity as a router to connect a single cat5e to my 'real' ASUS dual-core cpu router, which then DHCP supplies all the devices in the house, double NAT of course. This seems to be the best compromise between safety & security. in-home Wi-Fi obviously uses WPA2+AES, (not AES+TKIP as there's a downgrade attack) with "Correct Horse Battery Staple" as the password. With really thick house-walls I gave up trying to blast watts of Wi-Fi through them & replaced the kilometre of TV coax run through the walls with cat5e instead, now using multiple old routers, about 6 of them, as low-power Wi-Fi access points. DD-WRT on those that support it allow great flexibility.
remember, should you occasionally use bit-torrent to update/upgrade your linux distros that crappy routers can't really handle the 200+ threads that a BT session opens - so they choke - requiring a power-cycle to erase the NAT table; whereas for the same device with DD-WRT firmware this can handle 4k threads, and a well resourced new router considerably more!