I'd be far more weary of the application level services provided by Synology than of the kernel in this context, as long as the vendor backports the various fixes and you update the kernel you should in theory be fine. But the applications get far less scrutiny.

What you really never ever should do is expose your NAS to the internet, even if vendors seem to push for this. Of course you'd still be vulnerable to a local compromised application on another machine that is on the same network as the NAS. It's all trade-offs. My own solution to all this was quite simple but highly dependent on how I use the NAS: when not in use it is off and it is only connected to my own machine running linux, not to the wifi or the house network.