Cable modems are based on a pre-Carterphone philosophy that the modem is an extension of the ISP and is completely owned (and 0wned), configured, updated, etc. by the ISP. They let you buy your own, but that doesn't change the protocol.

Makes sense. If they were to update something in their auth protocol or need to patch a security issue most people wouldn't have the tech chops to update firmware.

It should be auto-update but with the option to disable updates. So only technical people will turn that off.

How does this change anything? You can accept the update, or just let it will stop working with their network. And how is the new update any different in terms of trust than the initial carrier-specific update the modem gets when you activate?