Re: "Let's use a firewall"
I've come across many enterprise routers where this setting has to be configured out of the box. You're confusing best practice with "all routers work this way".
You are still talking about routers, not firewalls. Routers will indeed allow all by default - see my original posting.
You are also confusing the generally invisible default deny rules that firewalls have from those that are put in under good practice so that the organisation can log what was dropped by the rules base. The default rules do not provide logging and are there to ensure that they do not fail open. Any opening is by user rules only. Enterprise firewalls often have hardware offload and the default drop is in hardware, which is another reason why the UI doesn't show it.
Of course its possible that some vendors will not have implemented industry best practice, but I guess that's also why they are not used in enterprises. Its hard to get sign off on a product that is not evaluated (Common criteria or FIPS), does not follow recognised industry good practice or have an industry reputation for being robust.
Irrespective of the above, a software configuration for a firewall module or a software configuration for a NAT translation (which is how this thread started) makes little difference, either is configurable and can be configured correctly or incorrectly, this is where skill and things like penetration tests come in.
Correctly configured firewalls are recognised as a security barrier without any NAT in place, this is irrespective of the version of IP protocol flowing through them.
Even in the home markets if a vendor has preconfigured their firewall, generally the consumer trusts that it works as designed, once again the IP version is not relevant to the argument. ISP's are already providing pre-configured IPv6 firewalls with equivalent functionality to drop unsolicited inbound connections.
There is no issue here for home network security.