First of all, a Linux box from 10 years ago is no less or more secure than Linux box from 2 days ago. I'm positive I could put a Linux 2.2 box on the Internet today and it'd never get hacked.
Second, your hypothetical mass attack would be easy to fix. Reinstall Windows on your malwared-up desktop, buy a new router, plug them both in, and update the router using approved vendor sites. There's no WAN hacks and the client machine wouldn't have any malware on it, so it could update safely.
The router manufacturers just need to disable all remote administration features and require a USB or CAT5 "admin port" to access setup functionality. Honestly, a bare-bones firewall with no features other than DHCP and NAT is all 99% of people use anyway.
Second, your hypothetical mass attack would be easy to fix. Reinstall Windows on your malwared-up desktop, buy a new router, plug them both in, and update the router using approved vendor sites. There's no WAN hacks and the client machine wouldn't have any malware on it, so it could update safely.
The router manufacturers just need to disable all remote administration features and require a USB or CAT5 "admin port" to access setup functionality. Honestly, a bare-bones firewall with no features other than DHCP and NAT is all 99% of people use anyway.