I think there's a major misunderstanding here. I totally agree using an ISP provided router is a bad idea (hence my link to NSA's recent announcement). My only concern with the Fortigate (or any vendor for that matter) approach is the lack of access to security patches without an active subscription. This isn't a risk to be ignored, especially with the numerous RCEs Fortinet has been struggling with. If you're willing to pay for the subscription, I highly recommend it, it was in my list after all.So do you realize this, lets say you go to a web site, xyz.com, but you don't worry because you have the ISP router with "virus protection" so your all set, right?? Ha Ha. If that web site is secure, like most are today, then from the browser to the web site are encrypted (that little lock symbol) and guess what, your router CAN'T SEE ANY OF THAT DATA. So you better hope that none of xyz.com advertisers, or xyz.com itself is not infected, because guess what, you are now infected.
On a Fortigate, you install a certificate from the router on all your computers, or important devices, at least, and the Fortigate decrypts the encryption, scans it, that reencrypts the data so your browser puts on the lock, and everything is encrypted end-to-end, but it is also fully scanned. Regular routers don't do that. Same with encrypted DNS traffic (TLS over port 853 is better encryption than DNS over HTTPS, by the way.). And the Fortigate intercepts the DNS traffic, even if it doesn't use the DNS server you gave it. (Many use 22.214.171.124 no matter what you TOLD it to use.) And a good bit of traffic NEVER goes to a DNS server at all. The IP address is hard coded in it. If the Fortigate can't decrypt it for whatever reason, its blocked.
You can check any web address here, and they have millions. Don't forget to check your not a robot.