So flaws are there in any system. And known vulnerabilities doesn't necessarily mean that there's nothing being done to fix them.
Check out asus and netgear's cve stats for the last 10 years:
Asus: List of all products, security vulnerabilities of products, cvss score reports, detailed graphical reports, vulnerabilities by years and metasploit modules related to products of this vendor.
www.cvedetails.com
Netgear: List of all products, security vulnerabilities of products, cvss score reports, detailed graphical reports, vulnerabilities by years and metasploit modules related to products of this vendor.
www.cvedetails.com
Looking at the stats it would seem that netgear's products are having less problems, but that doesn't mean that netgear is patching and responding fast or developing better code than asus--it simply reflects the fact that perhaps netgear's stuff is simply attacked less often.
And attacks and vulnerabilities usually come with extended capabilities, because these days if you want to do something more, you have to give up security.
Okay, this applies more to cell phones than anything else, but it's making its way into IT as well.
So if you're not using anything out of the ordinary like remote connections or built-in network filtering by a third party, you a lot of times aren't even exposed.
And this is maybe why exploits exist--because people don't check and understand what they are doing before they do it. Why do you need upnp enabled on your network? If you don't, you're just opening yourself up for an exploit that uses that feature that you don't need. And this is how a lot of exploits work.