I suspect its likely because TP-Link tells/is forced to tell the Chinese government about 0days that are still unpatched which would give them the advantage to conduct large scale espionage and recon before its fixed.
Very similar to how Microsoft gives the same info about 0days to the NSA to use for the same exact reason.
> I suspect its likely because TP-Link tells/is forced to tell the Chinese government...
I think if we are there, then we should assume all 0days are known by various states before patches are available regardless of whether companies are setup to share that information or not. You don't need to get the company to share that information, just one person in a company, and I don't really see that as being a challenging task for a state to do.
I dunno if they're the next biggest, but they are one of the largest in the consumer space. They've been the best selling networking devices on Amazon for nearly a decade and ISPs use their products when bundling WiFi setups with ISP service (although those are usually centrally managed by the ISPs themselves)
Very similar to how Microsoft gives the same info about 0days to the NSA to use for the same exact reason.