They don't even need to have intentional backdoors (as in, designed for spy agencies/law enforcement). The chances of a random home internet appliance not designed with serious cybersecurity considerations in mind (as opposed to "good enough to stop the average snooper/criminal") not having root-worthy vulnerabilities that can be exploited from the upstream provider is close to nil.
Remember, most of these things have as their only threat model someone trying to gain access from the Wi-Fi side before authentication. I doubt many vendors seriously consider questions like "can the cable connection to the ISP be used to take over the router?" or take steps to prevent it. For many devices, that sort of access could be considered as a potentially legitimate feature (think, customer support and remote diagnostics).
