While I can't speak to many specific vulnerabilities, I do know that Apple issues software updates for their routers.

More importantly, they provide their own router management utility (Mac/Windows only), which everyone will have installed when they set up their router. It notifies you of new firmware releases and prompts you to install them. Yes, you could do something similar on an admin panel at 192.168.1.1, but nobody's every going to check it. As much as I loved my WRT54GL and its various 3rd party firmwares, I think Apple's approach is better for general use.

Their most recent release was in April 2014, IIRC in response to Heartbleed. http://support.apple.com/kb/DL1708

just to add to what you're saying, they also have an iOS app to control their router, and you can update the firmware from that.

As an addendum to my own thoughts, this approach is better from Apple, but I don't have much faith in Belkin, Linksys, Netgear, etc. being able to pull it off.

Given all of the issues we've seen recently with their router firmware, the router "cloud" features, and the number of different models, I don't think they could do this successfully.

Netgear has (at current count) 97 wireless routers for sale on Newegg, including some duplication for refurbs. Whatever the exact number is, it's a lot more than 3.

Yes, it's a completely different business model. Retrofitting security into organizations that view software/firmware as disposable is probably so expensive that they will argue that it's impossible.

I'm not aware of any serious vulnerabilities for AirPort routers. They run a pretty clean version of NetBSD with very few services. However, there are some internal Apple services (presumably written in C) running on the router to facilitate configuration, AirPlay, Back to my Mac, Time Machine, and maybe others.

The minor things I know offhand:

- The old configuration protocol transmits your password (and everything else) in pretty much plain-text, which can be theoretically intercepted by someone connected to your network (and anyone listening when you set it up for the first time). I think the newest configuration protocol uses Secure Remote Password, but I don't know if anyone's audited their implementation.

- When new AirPort routers first come online, they broadcast a public open WiFi hotspot to allow wireless setup. This can be accessed by anyone within range. An attacker could make a device (say, a WiFi Pineapple) automatically connect to every AirPort it sees and configure it maliciously. Using only public information, you mostly be able to annoy the owner (maybe intercept some traffic by updating their DNS settings). I won't rule out someone dropping a rootkit on your router during the open configuration period, but the simplest method (a firmware update) at this point will cause the router to reboot so it's at least a bit conspicuous.

Also see this comment: https://news.ycombinator.com/item?id=8441500