Right, i'm not so sure this is a routing issue after all.
For fun, I tried redistributing my OSPF routing in to RIP on my firewall/router just for the Zyxel, and enabled passive RIP on the Zyxel's LAN interface. The Zyxel picked up my full routing table and installed it. However, I still was unable to get a response out of it. Interestingly, when I tried pinging from the Zyxel it did seem to use the route correctly, but never acknowledged the response coming back. A tcpdump on my firewall/router's interface that sits on the Zyxel's subnet showed the ping going out from the Zyxel to the target, and the target responding - but the Zyxel always responded saying that the ping had timed out.
So this got me thinking... clearly the routing is working - but the Zyxel is ignoring the response. Is there some sort of filtering involved?
I already had the firewall disabled, so it couldn't be that. However, there is a "Remote Management" section - which by default only permits access to the Zyxel's services (HTTP, SSH etc) via the LAN. Which got me thinking again - is it dropping any traffic to its services that originate outside of the LAN subnet defined in the Home Networking section? I tried enabling access from the Trust Domain and shoved in my entire local /8. Unfortunately, still no result. I also tried entering a specific /32 from a host that was trying to access it - again no result.
So the next step... drop down on to the busybox shell and examine the iptables rules. There were a huge number of rules shown on the iptables -L output, but at a glance I couldn't see anything amiss. The subnets i'd defined on the Trust Domain had permit entries on the iptables rules so that all seemed correct.
So ultimately, it came down to the nuclear option - disabling all itpables rules. I'm in bridge mode anyway with TR-069 disabled, and the LAN interface of the Zyxel sits on a heavily firewalled subnet, so what would happen if I removed all of the iptables rules and just permitted everything? I ran the following commands to clear all of the IPv4 rules;
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
And then as if by magic... I could access the Zyxel's web interface, SSH, ping etc from hosts outside of the Zyxel's subnet. Hurrah!
So ultimately, I don't think this was a routing issue, but a firewall issue on the Zyxel itself. Later on, i'm going to try switching back from dynamic routing to static routing and see if that works, and also have a look over the original iptables list and see if there's anything that stands out.
Edit: Yep, switching back from dynamic routing to static routing and it still works.
Edit 2: Of course, this doesn't persist after a reboot! The same faulty ruleset is applied after a reboot.