Let's pretend this is an ideal world; could ISPs just automatically assign DNS entries to their customer's IP address's? The router could figure out its public name via a reverse DNS lookup, then do a Let's Encrypt / ACME challenge for a certificate against that domain name. (I have no idea how the customer ends up knowing the domain name, though. Though, if ISPs are supposedly so eager to "differentiate" their product, hell, an easy-to-use interface to have full control over <yourname>.ISP.com would actually be a decent feature, but then, I don't know what would make non-hackers care about that.)