@dsf58 I think that's actually a very good point. As a baseline you should set the 'modem' so that it doesn't respond to WAN-side management requests, but as we've seen recently there's little guarantee that this is 100% secure for now and in future.
In theory, using it as a modem (bridge) only should mean that it doesn't get a public IP address and therefore it would be useless for most DDoS attacks. However, I wouldn't be surprised if some ISPs still assign them an IP address for their management purposes - I may well be wrong but I suspect Virgin do this even if the SuperHub is in modem mode for example.
I don't think there's a way around this really, as long as the modem is another box it will have some sort of potentially exploitable flaws; some manufacturers will be better at reducing the risk and issuing updates, some won't really care.