My buddy, who does security research, tells me that on stock firmwares of a lot of routers WPS is turned on and can not be turned off. He claimed that he encountered several routers where after turning off WPS in the settings he was still able to use WPS vulnerability to crack the key. He thinks it has to do with the setting not being fully applied, as in, the check mark changes, but nothing happens on the backend.

Mind you, I think with open source firmware like TomatoUSB and good password you should be good.