The comping is everywhere including the routers. And for routers, it's not only Cisco. I didn't mean to point to Cisco specifically, although it is a widely used brand that's been around for a long time. Wikileaks Vault 7 release listed many brands that have exploits. They all have remote management interfaces and the ability to download and install new code. That is how remote software updates are done.
Some of these products shipped with weak, or no, or identical guessable passwords.
Nevertheless, even if they had strong passwords, they were hackable targets and are ideally placed for spying.
As a practical matter I assume taht EVERYTHING is comped. (Well, practically everything.) Well maybe the anon who said he built his own computer and his own OS might not be comped… but then most people lack the skills and time and motivation to do that.
And you're right, there was a report that some Lenovo laptops shipped with a rootkit preinstalled on the hard drive. OMG!!! A low-level infection that can't be removed by any ordinary means.
There are stories of exploits being found in USB port hardware, hard drive controllers, graphics chips, anywhere that has a CPU and memory and access to the system.