Some home routers have poor security: unfrequent updates, http (not https) web consoles, single factor authentication (password only, without username for instance).
Enabling your firewall is the bare minimum, costs nothing and it's a good security practice.
Sure that is true but if you're getting it from the ISP and it's that bad, you need to change ISP.
Plus, ALWAYS get into the router and set a new password. Always. And go over all the settings to be sure. As you say, a shit ISP may have lax security.
Not to mention, a lot of ISPs still provide you with shit hardware, so by just purchasing an actually somewhat decent router you may even notice a performance improvement on your network as well.
It usually isn't too hard to insert your own router into your network setup. You might have to battle with ISP support a bit though, but a ton support either Bridge Mode or IP Passthrough.
I'm now sure how is is in your country but where I live we don't have a contract with the ISP. We just pay monthly and at any time we can cancel. But if you have a contract, then yes you'll need your own router ideally
In my country all ISP routers suck hard. I can change ISP but it doesnt help at all. You have to be lucky to get a working router it seems. We can get service with no contract with extra €, but you still have to use their router that doesnt support bridge mode. Im not even talking about routers security