I seem to recall that the widespread DDOS vulnerability was due to too long of a "connection timeout" setting in the (Linux) firmware of those devices. If one has shell access, it is easily "fixed" until the next power cycle.

So.. not always needing an upstream fix, but, yeah.