[theincredulousk]

Predictably, the web servers are an afterthought for branding so that users don't have to edit configuration files and operate at a command line.

(a) 99%+ of people buying these things do not know or care about security, aside from someone stealing their WiFi bandwidth (b) the manufacturer does not care because of (a).

As follows, all they care about (WRT to the web server) is that they are easy enough for non-technical people to setup such that they don't end up on a tech support call or returning the device for a refund. That is it.

If you are the 1% that cares about security on your home network, it is far less stressful to simply conclude these products are not for you and move on with your life. You should be looking at enterprise hardware, open source router firmware, or rolling your own.

In any case, what surprises me is that over time the router manufacturers haven't simply built up a single, relatively patched-up, web server implementation that they re-use. Even without aligned incentives, you would think over years and years of development they'd have something at least as good as what you can clone out from from github for free.