It proves it might be possible to backdoor it. Maybe.

I don't know of any modern systems that will execute anything on a newly inserted drive, nor boot from an external drive in the default configuration.

So we are missing a couple of things. First, a vulnerability in the OS/system. Second, an implementation of that vulnerability in a device like this.

Should this design be phased out? Perhaps. There is relatively little difference between not populating the flash memory part of the board and a proper network-only implementation.