Looking at using older hardware we have spare (a MacBook Pro 2012 or rpi4) seem to have a track record of underperforming

In what sense?

I’m having trouble finding good options particularly in regards to openwrt at least.

Everything I can get in local stores isn’t supported by openwrt (neither are the current routers).

IIRC, OpenWRT tends to support older hardware. I once bought new hardware to run it, so I know that it’s been out there, but if you want something to run OpenWRT and aren’t too fussed about having the latest hardware, you can probably grab something off eBay or something, especially if what you care about isn’t the WiFi side of things, where things have changed over time. Might be possible to run a USB WiFi adapter or something, if you want the latest WiFi protocol.

Would the MacBook Pro or rpi4 with a second Ethernet nic running a firewall before the routers also fix the issue of not getting security updates?

Pretty much, if you’re talking Internet-facing stuff. I mean, you might still want updates for, I dunno, NTP updates or something where the router talks to the Internet. And if it’s doing WiFi and there’s some vulnerability associated with that, theoretically you could be attacked locally. In general, I wouldn’t worry too much. There are probably a ton of unsupported, unupdated Internet of Things devices on LANs all over the place, so shrugs. It’d be nice to have maintenance and security updates for everything, but in practice, there’s probably a lot of stuff that is always going to be unmaintained on most LANs. Smart TVs, printers, whatever. Maybe we should change that, but as things stand, kinda the norm.