Mate. The shit that a retail ISP will send to the punters. Adjust your expectations sharply downward.
The reason this crap ends up in botnets is because it suits retail ISPs to have a common password for their own access. I've found that password on a forum and used it to get higher privileges than I had with my own login. And yeah, web management over the WAN was enabled by default.
Crazy! What brand router was this? I've never seen an IPv6 capable router configured to permit all traffic by default.