Your asking several very good questions:
Because even if you create a network on the same channel, ESSID and BSSID, (where basically everything up to step 3 of the 4wayhandshake is the same) the final PMKID will be different without the exact password --When you connect to a WPA2 network, and it ask for password, your password is actually never sent to the router, its not necasarily encrypted either in the traditional protected WPA2 password encrypted frames, BUT Your OS hashes the password you entered with the MAC Address and sends it to the router in a weird seperate frame (where all the EAPOL stuff happens) and if its the right PMKID hash.
the weird part is even unauthenticated users can still sniff up this portion even if their not directly connected to the IPv4 level, their is probably a huge exploit in being able to sniff it in theory and than reverse hash it with the clients MAC Address to calculate what the password entered was but thats a little to far for me
to awnser your second question, despite the fact that different routers use different firmware and different languages to accomplish the end goal, they all most follow a very strict IEEE / wifi alliance standardized process that comes out pretty much exactly the same no matter how different each router chooses to impliment it, attacks like using: “Password=’*’” format will only work if the password is databased somewhere into the router, Im not sure how and where exactly the WPA2 password is saved into the router, but its not a database so injection type attacks or magic passwords wont work, (unless in theory you are able to create such a weird password that when hashed with your mac address creates the exact same hash that an authenticated user with right password would equate to [public collision encryption attack] but that may be impossable
for the actual administrative panel for the routers themselves however, to log in to change ESSID/port forward (etc) plenty of those actually are vulnerable, and are vulnerable to XSS/CSRF attacks that can provide password, and further some use very multi layered languages like JSP to render pages and within that a whole bunch of exploits…