"BT routers come with randomised passwords and I see no reason to change them to something user-selected and likely less random. That must make up a large fraction of the 82%."
And how complex are these? My ISP-provided router came with a default WiFi password of 8 chars, only lowercase and numbers. I guess it would only take a few minutes to brute-force it.