Total remote control of the device allows quite a bit... disabling thermal protection, disabling fans, changing voltages on regulators to be out of allowed range, etc.

Just that attackers didn't choose to destroy a device in this instance, but just erased it, doesn't mean allowing control of all software on the device to randos on the internet, by not patching a root RCE vulnerability is not a physical safety issue.

> Total remote control of the device allows quite a bit... disabling thermal protection, disabling fans, changing voltages on regulators to be out of allowed range, etc.

Having total remote control of an IoT device doesn't mean any of these things. Thermal protection is hardware driven typically on die, on cheap devices fan control is implemented in hardware because it's cheaper and easier than software solutions. Voltage regulators are hardware devices that aren't adjustable, even adjustable ones have a working range that is set via resistor. Switching power supplies aren't software driven.

All of that is software controllable on many devices, especially on SoC based NASes. Working range of adjustable regulators is almost always higher than the device connected to it (resistor may be used to set the default voltage for example), on pretty much all HW I've seen so far with no way to set hard limits. And you can also cause issues just by abusing transients even on regulators that can only be turned on/off. Thermal protection on SoCs is usually based on SW regulation loop. (grep for cooling-device through DTSes in Linux tree, all those SoCs have regulation in SW)