A router "only" connects you to the Internet afaik. It does not contain private data, and especially when using a VPN only encrypted data travels through it.
It is permanently online, just like most phones, no open ports etc.
There are for sure attack vectors just like for your phone itself. And I am sure a hacked router would still cause problems.
But it is way better than a
- hacked phone
- hacked DNS server
- hacked webserver