The point is that the title puts the number up there to sensationalize. It doesn't concretely explain the scope or magnitude of the vulnerability.

The 9.8 CVE was for their NAS. Exposing any NAS directly to the open Internet is a Bad Idea.

For that matter, nearly every shit-tier NAS vendor (WD, QNAP) has had some critical remote vulnerability in recent years. Some were notable for mass data loss incidents.

That aside, these companies are all very good at making very, very nice hardware at a price point consumers can afford. Some corners have to be cut and it's often software.

The dirty secret is many Internet of Shit device vendors outsource the software development, often to the lowest bidder in some offshore sweatshop. In some cases it's just a repackage of an ODM design from some no-name company in Shenzhen.

None of which are known for secure coding or good software practices.

Criticize all you want but this is a textbook example of getting what you paid for.

It's unreasonable to pay $100 for a D-Link box and expect it's Cisco ASA quality with free indefinite support.

Cisco, Juniper, and Palo Alto would all tell you to pound sand if you expect support after EOL or if you let your maintenance contract (aka protection racket) lapse.