The issue isn't the router installing something onto connected devices. I suppose that's not technically impossible, but the issue is someone accessing connected devices through the router and compromising connected devices more directly.
This would be even easier if-- because a person putting their router on the internet might not understand good security practices-- they might also be more likely to do things like punch holes through NAT without understanding the risks and proper precautions.
Even without the user misusing NAT, a router will often give a list of connected devices, internal IP, and other details. An attacker with admin access to the router can easily punch their own holes through NAT to any of those devices, run port scans, and find vulnerabilities to exploit.
