I think most are in the same boat as IPv6 is complicated.
It's only complicated if you are thinking it's a *version* of IPv4. If you dig a bit deeper and understand the concepts it's actually far less complex..
In it's simplest form the 128 bit long IPv6 address is split into two parts.
The first 64 bits are the prefix and the second 64 bits is the (node) address. The first 64 bits are primarily for routing purposes the second 64 bits are to identify the node (the client address) once the route has been identified/completed
If the first 64 bits are less than 64 bits (like 60 or 56 or 48 or 32) then you have a prefix which is smaller, and the address/routing options are much larger, and can be subdivided by a router.
A /64 (the second half of the address) is just one subnet conceptually similar to 192.168.1.0/255.255.255.0 is one IPv4 subnet.
The difference is IPv6 has 18 million trillion addresses in that subnet, IPv4 has only 256 addresses..
Final point on Router WAN IPv6 address is that its a /128 and assigned from a different prefix to the /48 prefix delegation assigned to the LAN networks
Normally this is not true, the CPE address from the upstream provider is assigned from the same prefix. The CPE (customer router) requests an address during the DHCPv6 client solicitation process (DHCP option 3) , the upstream provider issues an address in the form of the prefix plus the IPv4 address in hex form (with some f's in the middle to pad the address out to 64 bits) . the router ends up with a /128 address (/64 prefix plus /64 node address)
This only ever changes if your upstream provider changes the prefix (and/or the IPv4 address). Once the router has that address the upstream provider will route any IPv6 blocks to the /128 address. Depending on the ISP this might be a single /64 subnet or multiple /64 subnets in the form of a /60, /56 or /48 or whatever prefix. The CPE/customer router then takes over and routes those prefixs as required.
Andrews and Arnold have a good explanation here.
support.aa.net.uk
In a SLAAC setup the router only advertises the prefix to any clients via router advertisements and neighbor discovery. The clients themselves decide the address and ensure there are no duplicate addresses. There is no need for a DHCP type server in local IPv6 networks. The clients themselves should then depreciate and update those addresses (the second 64 bits of the address) on a regular basis. This is called privacy or temporary address and enhances security by *not* providing sticky addresses.
You can have many LAN networks and assign each a separate /64 prefix.
You can *only* assign a /64 subnet to an interface. anything bigger than that needs to be chopped up by the router and handed out as a separate subnet and then provide the routing between them.
2) devices are not frequently changing prefix and causing issues
Ideally once the ISP issues a prefix it shouldn't need to change because the address space is so vast that its just not necessary to constantly churn the prefixes.
Saying that a prefix change should not cause issues as the router will update and the prefix flows downstream to the nodes.
3) firewall rules need sticky IP addresses
Firewall rules primarily act on UDP/TCP protocols and ports not on specific IP addresses. You can of course also block specific IP addresses in both IPv4 or IPv6.
I'm thinking in terms of IPv4 where routers and their devices have the same public IP, that's why I'm getting confused.
That's because of NAT (Network address translation) which does not exist in IPv6 networks. Every assigned IPv6 address is nominally addressable from anywhere (unless blocked by firewalls or routing rules)
Typed up super quick, so apologies for the typos and if that's not clear enough for you.