ShieldsUp is basically a port scan, it detects holes in the firewall. Even the default Windows Firewall manages to stealth all ports, and every router I have ever tested has always passed with flying colours, except the HH3: https://www.grc.com/x/ne.dll?bh0bkyd2
The issue for me specifiically, is port 161. It's used by SNMP and could, within theory at least be used to hijack the router. GRC*|*Port Authority, for Internet Port 161**
BT seem to have a few official lines on this port being open, either it's used for updates, or "to speed up gaming". Personally, I'm more inclined towards the former, as I can't see any reason why it would speed up gaming.
The problem is though, it seems to be accepting any connections, from anywhere. I had a friend, who is on TalkTalk try to connect to my IP on 161 using his web browser, and it accepted the connection and just sat there "waiting" presumably waiting for instructions. I don't like to think what could happen if a SNMP agent was used instead.