If they then uploaded modified firmware then you'd never be able to fix it either. It could then route (say) common bank domains through a remote proxy to capture password.*
* This bit would be beyond me personally, but I suspect a fake site with a LetsEncrypt cert, would be sufficient to fool the aforementioned 82%. The firmware upload might be hard on recent ISP routers also but maybe just changing the nameservers would be enough to redirect certain traffic.
My point is, I don't think this should be written off a FUD.