NAS vendors aren't known for understanding security. Opening ssh to the world is no problem, because ssh is everywhere, it's constantly attacked, and half the world would know if an exploitable vulnerability was found.
If NAS vendor ABC has a vulnerability in the login code written by a programmer who hasn't done much more than CSS, it would surprise nobody, and you wouldn't hear about it on any IT news sites. It would just be exploited until all the machines were exploited or until they're all patched.
It really is a world of difference between something known and secure and some random login page.