Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?

[John Doe <security.department () tele2 ch>]

list members,

after following this list for about a year, I have my first question to you, 
and a apologize if I could have shortened my questions (English is not my 
native language):

*** INTRO *** 

Just for fun, I did the following with an IP address appearing in my server 
logs.

==[session]

bash-2.05b$ telnet aaa.bbb.ccc.ddd
Trying aaa.bbb.ccc.ddd...
Connected to aaa.bbb.ccc.ddd.
Escape character is '^]'.


User Access Verification

Password:
Password:
Password:
% Bad passwords
Connection closed by foreign host.

==[end session]
(As password, I entered three times ^C)

After a short whois "investigation" , I realized that the IP is part of the IP 
range through which the customers of this ISP connect to the internet via 
ADSL.

I know the person whose IP I telnet'ed: One of my customers handling sensitive 
data, located in the same building as the ISP.

As a non-expert, I concluded that aaa.bbb.ccc.ddd must be a router of the ISP, 
and that this may be a security problem / misconfiguration by the ISP.

So I contacted this ISP, giving the above example, and the ISP answered the 
following: "It's a zyxel router. We don't want to restrict the IP range for 
remote administration (by us) of the router. We didn't ever had any problems 
with this configuration".

*** THE QUESTIONS ***

Am I right with the following "interpretations" of this issue and with my 
reasons for these interpretations?

1. The ISP shouldn't have revealed the model of the router, because otherwise 
I had to do some work to find out.

2. It's bad (hmmm... very bad) practice to expose a router unfiltered to the 
public internet, because a) telnet is insecure due to plain text passwords, 
b) the router is an important part of the network and should be specially 
secured.

3. (not quite shure): Asking only for a password (and no user name) is bad, 
because only one string has to be brute forced

4. (my main question!): The reason given by the ISP to expose the router is 
totaly weird, because the IP range for _outgoing_ ADSL-connections is 
irrelevant for router remote administration, which is performed in the 
opposite direction and need's only one IP, p.ex. the one of the target router.

5. Probable reasons for the ISP <<not having had any problems>>: they didn't 
realize an existing problem, or nobody tried to hack the router. Right?

If I'm right with point 4.,

*** SOLUTIONS? ***

a) use a ssh connection to the router (hm... possible with this router?)

b) put the router behind a firewall, ssh to the firewall and from there via 
telnet to the router (even if it's not optimal to allow logins from the 
outside to the router itself)

c) put the router behind a DMZ host which itself is behind a firewall, then 
ssh through the firewall to the DMZ host and from there via telnet to the 
router (there's still a telnet connection which could be sniffed by a 
compromised host in the DMZ/local net)

I very appreciate every feedback from people having an overview on the 
combination of the involved "issues". I plan to think hard about all your 
answers, and getting further in (I don't hope: at the beginning of ;-) my 
judgments concerning network security.

thanks a lot in advance! 

P.S.: I don't have experience with ISP sized networks; my own network is 
small, with one router/paketfilter (gentoo on PC) between ADSL-Modem and local 
net. No DMZ. This is of course not optimal.