Maybe make it clear you are being sarcastic here. English is not my native language, and my initial interpretation was that "they" in your post referred to the "business grade closed source stuff", and that OpenWRT is really a dangerous bet because they are guilty of all the things you listed.

Just why I love OpenWrt. They even ask the people that use screen readers like me to test the web interface to make sure that all is working as it should.

Whilst this is true, it looks like OpenWRT fixed the hash truncation but not the command injection.

I hope they're planning on fixing the command injection. As the blog post says, the created images are signed. Even without the signing, it's code execution from untrusted user input. And of course vulnerabilities can be strung together (just like in this hash collision case).

I have a router that from my ISP I am forced to use that has had a few CVEs ranging from not good to really bad. Most of which are years old. I can get a replacement but it's just the same model. They don't care about security at all and don't care about patching it, even though they have exclusive access rights to the router and can remotely log in to it. It's completely ridiculous.

This only works for a handful of open source projects with corporate backing and the resources to fix these issues quickly.

For most OSS projects, the maintainers are either too overworked or just don't feel like fixing security issues.

Not gonna lie, you had me in the beginning.

>they did not even tell the users to throw away the "outdated" but perfectly working devices, offering a small discount to buy new

Because they simply brick the device when updating and it's easier, faster, cheaper to buy a new device than to unbrick.

Home assistant and vlc anyone?