[hex4def6]

Because it's a strategic issue. The internet is critical infrastructure. While TP-Link might not have contracts with ISPs and datacenters, it doesn't take a lot of imagination to think what damage you could have with 30% of the home / small business routers under your control.

This could range from plausible deniability stuff (like the examples in the article), to targeted investigations / attacks (Bob who works at the Gov Accounting office for Miliary Spending), all the way to a 100-million unit botnet turning to provide a few days of distraction ("Bad hackers compromised our OTA system. Sorry!") on while a certain island is being eminant-domained.

Your food example is not the same. You can't trojan-horse an apple pie, or target an individual customer from the supplier-side (yet). If you decided to poison them, that's pulling the pin from the grenade right now.