Don't use a router provided by an ISP
With factory-set credentials ready for abuse. (ie. It works out of the box so no need to bother with difficult things like password.) Not to mention some remote management that can't be turned off. Complete with undocumented Fisher-Price interface totally devoid of key settings.
As IoT things are basically a sealed box with no way of opening the bonnet and having a poke around with a few OS tools, what the hell am I supposed to do when, say, my Mum's security camera stops working for no known reason? Just about the ONLY thing I can do is throttle potential harm at the router.