I'm not saying YOU are wrong -- I am saying that it is a risky action to expose a NAS to the internet, especially given Synologies track record and the last RCE vuln was only last month...

True about patching! However, in general Synology only supports their hardware for the warranty period (4 or 5 years). So there is a betting chance that a 10 year+ old NAS might unsupported and vulnerable. They have no clear policy here. Sometimes are patches for 5y, some are 9y.

In this particular case, It looks like Synology back-ported the fixes to DSM 6.2 (must have been a very bad vuln, as these end of life). Yes, occasionally for really bad vulns, end of life things are patched. Absolutely no guarantees tho.

DSM 6.0 is end of life 2024. DSM 7.2+ needs a 2015+ model