You should only be able to access services on the modem that are enabled. Turn off telnet, SSH, etc, if you aren’t using them and force remote access to ACEmanager to only use SSL. You can even set it where only a specific set of address have access to ACEmanager. Set a strong password for management of the modem and call it a day. I’ll assume from the limited info you left that your modems were hit by Mirai. A non-default password on the modem would have mitigated that issue. I’m managing “several” devices on static IP addresses, and that’s how I have them setup.
However if you are forwarding ports to devices on the LAN side of the modem or placing a specific LAN IP in the DMZ, you will need to take the necessary precautions to secure those devices or services. Nothing to do with the modem in that context since it is only forwarding traffic as you asked it to and the problem in that case is with the security on your traffic sensors.
Another option would be contacting your cellular provider and see if a private APN might be an option for you. I have “a few” devices setup that way too. The only way to access those devices is for traffic originate from our internal network. So either be physically located here or authenticated via VPN. Of course we have a couple applications that are accessible from the outside world on these systems and it’s a simple port forward (a NAT rule really) to allow the traffic in to the private network.