We have been doing this software and hardware thing for a decent amount of time now. If the SSH server in your modem uses bad encryption because of a hardware issue, the company should replace it and not make their own infrastructure less security because of that. It's the issue with IoT in general, there's no maintenance plan. But some countries are enacting regulation to ensure these devices aren't left rot (and eventually become a national security issue).

I'm not saying companies should do this for free, btw.