> Who creates and regularly keeps the firmware for the dozens and dozens of router models secure and up-to-date?

99% of the firmware is not actually device specific, and more to the point no one has to create it because it already exists and is already maintained. You don't have to write the Linux kernel from scratch for every different device.

The problem looks like this: The vendor creates an opaque blob that runs on part of the device. This is only 1% of the code that runs on the device but it's the device-specific part. Moreover, that code interacts with the kernel, but was written to assume a specific older version of the kernel which is now out of date.

Updating it to use a newer kernel requires very little work if you have the source code -- in that case much of it is just automated refactoring -- but without the code it becomes a much more arduous reverse engineering effort. Likewise, if the device-specific code has a bug and you have the source code, the cause of the problem is easier to identify and the fix is to change two lines and recompile it. But without the code just identifying the problem becomes an intensive reverse engineering task again.

So you have a community which is willing and able to do a finite amount of work. Some subset of the device owners are programmers and if they can spend two hours fixing a problem that they themselves have, it gets fixed for everyone. But if fixing the same problem takes them two months, they don't. Therefore, the solution is to do the thing that allows it to take the shorter amount of time so that it actually happens.

It would be ideal if we could come up with a way to get people paid to maintain a community firmware. However, that's a considerably harder problem than "you absolutely must allow community firmware to be flashed".