I'd rather have that ASUS stupidity trophy than a backdoored router, which pretty much all of them are when from an ISP. Not many of them (none?) even care to update regularly.
You can pretty easily disable the backdoors with the backdoor admin account I discovered by extracting the firmware from the TR069 ACS server, and posted on my blog.
You have a TR069 interface that operates on a VLAN, you can disable that interface and it does not have the ability to contact the ISP or be contacted (this is not DOCSIS, I'm talking about GPON or xDSL).
In general all ISP combo devices are firewalled off from the WAN side, don't reply to pings and no open ports. If there was a kernel network stack bug, you can't bypass that with your own router, unless it's xDSL in which case you can buy ANY compatible modem and use it with the PPPoE login you can extract from your ISP combo device using instructions on my blog.
If it's GPON you can't do anything, it's a full Huawei system (ONT and OLT) and it needs to authorize with a serial number over OMCI, which you cannot replicate cheaply.
You can use a MikroTik router and a Huawei SFP+ transceiver, but that is too expensive to justify it for moderate-level geeks :)
