That is very common with provider issued equipment. Anything you get from your ISP should be considered their equipment rather than yours and your's should assume therefore that they maintain some sort of control over it. For serving very non-technical home users this is actually an advantage.
Over here when you are BT's FTTC setup through any ISP the vDSL modem that hangs off your master socket (which can do more but is used in this arrangement to simple pick up the connection from the phone line and provide PPPoE on the ethernet port) is very definitely BT/OR's: they tell you not to mess with it, people who want to mess with it have to use hacks to get access to the UI (which is otherwise locked off), and if you plug something else in at that point you are officially not supported. If the router that you plug in to that came from your ISP then that is their's (usually you have to return it when you leave).
If you buy your own router (or "make" your own, people who have a small Linux machine on 24/7 for various things just set that up to talk PPPoE directly and skip the router altogether, neatly avoiding the limits of many "consumer grade" units (shoddy IPv6 support for instance) without shelling out for a much better device) only then do you truly have control of security at that point in the topology. But some ISPs won't support you if you don't use the provided router (though if you know enough to purchase your own router you might not find such an ISP's tech support much help anyway).
Over here when you are BT's FTTC setup through any ISP the vDSL modem that hangs off your master socket (which can do more but is used in this arrangement to simple pick up the connection from the phone line and provide PPPoE on the ethernet port) is very definitely BT/OR's: they tell you not to mess with it, people who want to mess with it have to use hacks to get access to the UI (which is otherwise locked off), and if you plug something else in at that point you are officially not supported. If the router that you plug in to that came from your ISP then that is their's (usually you have to return it when you leave).
If you buy your own router (or "make" your own, people who have a small Linux machine on 24/7 for various things just set that up to talk PPPoE directly and skip the router altogether, neatly avoiding the limits of many "consumer grade" units (shoddy IPv6 support for instance) without shelling out for a much better device) only then do you truly have control of security at that point in the topology. But some ISPs won't support you if you don't use the provided router (though if you know enough to purchase your own router you might not find such an ISP's tech support much help anyway).