Firewall rule on what, The OpenWrt device and the modem share the same LAN network for the wifi clients. LAN traffic coming from it will not go through the OpenWrt device firewall (and NAT), so it can freely ping and talk to whatever other device you have in the LAN.
The ISP modem/router is exposed to the outside network, and you don't know if it has special access or other interfaces that can be exploited regardless of its own firewall rules.
On many cable modems you just can't disable or block remote management because that is required by ISP, some ISPs don't even give you access to the web interface.
There are at least 2, maybe 3 different vulns for WPA2 already, only up-to-date devices using WPA2 are secure.
Note that just having a recent stock firmware release does not mean anything, they always use ancient software versions so unless they specifically state they have fixed it in the release notes, you can safely assume they did not.
If there is another potential weakness
I already told you. If someone takes control of the modem now it has access to the LAN because you have connected the LAN ports to get the clients on wifi to go in the same LAN as the devices after the OpenWrt router firewall.
And this "taking control of the modem" isn't a tinfoil hat conspiracy, there is a very a decent chance that will happen within the device's lifetime because embedded device firmwares are just a pile of hacks on top of ancient Linux-based OS, and they never get updated past a few years of release. But you will keep using that modem for many many years.
OpenWrt has better code quality and it's using recent software versions, but there have been bugs here as well. With OpenWrt you can usually update the device within a few weeks after vulnerabilities are found, and close that door, with stock firmware it's a crapshoot, they may make an update quick or they may not update at all forever.
That said I'm not aware of any hilarious remote exploit in OpenWrt as there is no telemetry nor remote management nor secret backdoors for technicians or developers, so most bugs are either wifi vulns (not specific to OpenWrt) or local stuff that requires access to the network or the device.
There is a significant monetary incentive in exploiting devices like this because they are used to (or can give access to other devices that can also be compromised to) create botnets, which is a swarm of devices that are used to launch DDoS attacks and bounce illegal traffic to hide its real IPs (similar to Tor but much simpler). Devices part of a botnet usually don't show signs of being compromised until they receive an order from the control servers.
Mirai botnet has been a big thing in recent years and you will find it mentioned in the following articles but it is not the only one around.
There have been a bunch of remote exploits for years now where embedded network devices have been just hijacked by randoms on the internet by abusing stock firmware "secret" technician backdoors or firmware update, or telemetry or whatever other service the stock firmware is doing to contact the manufacturer's servers on the internet.
The following are some random articles I got with a web search, but there are many others for more or less all big brands.
And this one, where older WD NAS devices with internet access were remote-wiped en-masse by hackers, and also links to how QNAP nas devices have hilariously bad security as "further reading"