alt Hacker NewsI'm confused why you're so honed in on OpenWRT as a third-party open-source project here when the vulnerability you quoted (TotoLink) was the official firmware update server of a brand of devices.
Is it "scary" to think about OpenWRT potentially getting hacked? If you get scared by theoretical possibilities in software, sure. Is it relevant? Not exactly. Are companies' official servers more secure than an open-source project's servers? In this case, apparently not.
What's scary is that OpenWRT is a project created by people who wanted a better solution than what was out there, and are therefore largely driven by a desire to create a good product.
Meanwhile, corporations are driven entirely by profit motive, so as long as it's more expensive to be vigilant about security than it is to be lax about it they will never improve.
Until companies which produce (and do not update) vulnerable equipment are penalized (e.g. charged with criminal negligence) for DDoS attacks using their hardware then the open-source projects are going to continue to be far more trustworthy and less vulnerable than corporations which mass-produce the cheapest hardware they can and then designating it as obsolete and unsupported as fast as possible to force more updates.