All of the highly successful malware attacks against QNAP have been due to QNAP specific code being exploited, in those cases a reverse proxy does not provide any security protection. A ReverseProxy/WAF does not offer security protection against hard coded credentials, improper authentication token passing, etc.
ModSecurity is 20 years old now, is great for other types of web security stuff that is not relavent to QTS. Also, ModSecurity is nearing depreciation and should not be used anymore. ModSecurity has no rules for QTS Admin webpage and therefore can not perform any sort of intelligent HTML parsing of the data between the QTS Admin page webserver and the client.
As for CVE, well, QNAP has never published any CVE (aside from the hard coded credential thingy, iirc) for their code, they issue a QSA for their code - which goes to show just how disingenuous QNAP really is when it comes to security. The majority of the QNAP CVE numbers assigned are due to 3rd party code that QNAP relies on such as PHP, OpenSSL, smdb, etc. They want to look like they're doing something about security, but in reality they're trying to hide as much as they can.
Only time will tell if QNAP will improve on their disclosures or not. There are many bug hunters that are really quite ** off with QNAP because of how draconian QNAP tried to be with the people that disclose vulnerabilities to QNAP. There is a growing sentiment in the bug hunter community that QNAP has basically squandered any goodwill that is left.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)