Looking at the kinds and amounts of just standard software vulnerabilities in those firmwares that have been found in the past, I presume there's plenty of low hanging fruit still to be found there. It doesn't really need to be an intentional backdoor, it can be just good old buffer overflow with remote execution.