Sounds like TR-069 / CWMP vulnerabilities are still around

Weird advice to use a password between 16 & 64 characters… I guess that’s US Gov’s password cracking limit /s

Routers don’t even need to be old to be targets. A sizable chunk of people will plug in a router, set up the WiFi and never touch it again other than to reboot so the firmware is never updated again.