On "locking" your systems, you guys should have both an option to not broadcast the ssid, and there should also be an option for wireless password. I can't believe Xfinity would set something up that doesn't let you password protect your wireless.
Otherwise, I have always been a big fan of separate modems / routers. I no longer have cable, but when I did, the Motorola Surfboard served me well as a modem. I've never used the rental modem from any company.