Excuse me, but I think you just made quite clear your great ignorance of what you are talking about. I want to imagine that you know that CVEs can be queried (https://www.cvedetails.com/ for example). If you want you can take a look at the number of vulnerabilities reported over the years of any software / product, and compare the vulnerabilities of QTS against any other device: In case you don't want to bother taking a look, for example:
Last 8 years (CVE):
QNAP -> 110
Synology -> 188
Firefox -> 1957
Windows 10 -> 2393
Chrome -> 2227
iOS -> 2443
MacOS X -> 2870
Android -> 3795
I sincerely believe that I do not understand the concept of "expose" of a device to the Internet. You are much more likely to have any problem on the rest of your devices than on the NAS, many of them connected to the Internet 24/7. So please, at least don't put the noose around your own neck, talking about matters that, clearly, you have quite little knowledge.
Of course, you ALWAYS take a risk by exposing any device to the Internet, but in the end you make a balance between usability / functionality / risk. Zero risk does not exist and will never exist, but using it as an excuse to isolate all devices is a very bad excuse, especially when you probably have your mobile (Android / iOS) exposed to the Internet 24/7 (and possibly other devices as well, or intermittently). The real danger is being conscientious and not taking the minimum security measures or recommendations from REAL experts. And of course have a little common sense.
Oh, and there is no need to repeat it, in environments where the security and integrity of the data is totally essential (confidential / secret / highly sensitive information ...), since zero risk does not exist, these devices have to be plain and simple disconnected from the Internet, completely isolated. Neither VPN nor remote access.
Greetings.