5) the VAST majority of exploits are done for commercial gain in some shape or form
Not always ....
Zombie nets
Somewhere to host questionable content to share amongst "friends"
etc. etc.
(besides, the NAS specifically included uPNP in order to configure itself to do this very task on the internet - if you were a product designer, would you do this as standard if you weren't very confident about it's security?)
If you were a product designer, product marketing probably came downstairs to see you with a list of features from competitive products and said "what other funky features can we put in to our box to give us a USP". In today's IT market it's all about maximising sales ....
Lets face it .... product design for residential products is NOT security lead. That includes residential firewalls embedded on cheapo routers, which don't compare in the least with their commercial variants.