Is ransomware attack on ReadyNAS possible?

I entirely agree with you. It was a time that the youngest of us (including me) never knew when internet was using text only, when HTTPS didn't exist and when sending your credit card number on the internet was like signing a blank check.
Then usage changed, research was financed to exploit the potential of the internet, then there were some well known hackers, Kevin Mitnick being one of the most famous one, along with Steven Wosniak (aka Woz the magician, aka Apple co-founder).
Check Kevin Mitnick story, you will see that he hacked most of what could be hacked, nowadays this would require a tremendous amount of people an resources. Woz created a free phone box in a MacGyver like style, I dare you to use a trick as simple to avoid the phone bill nowadays, I would be really surprised if anyone could do it (of course more sophisticated attacks will do the job, but not as simply). Security is taken very seriously.

It's like in war time, in Irak several US soldiers died. Do you really think that US soldier take security lightly ? It's not because you fail at doing something that you didn't try really hard to do it. I know this goes against the Obama slogan (it was "Yes we can !" I think, non-US here), the american dream and those common proverbs (to a valiant heart, nothing is impossible for example), at least if you don't try enough times.
Manufacturers often fail to secure their products for various reasons. But there are also other manufacturers whose job is to secure you. Look at Checkpoint, Palo Alto networks, Sophos, Trend Micro, Kaspersky, AVG... The only thing they sell you is security (or at least the feeling of being secured).
OpenBSD is an highly secure OS, you could use it but its hardware support is limited, its configuration is hard and its software is outdated (because they check for bugs before publishing the software). At some point you have to choose between security and flexibility, that's where many manufacturers fail.
You can make sure nobody hacks you from internet, you just have to cancel you internet subscription and physically cut the wire and you'll be fine. But that's not practical, so you find some other ways to secure yourself. Some firewall give you alerts each time a software tries to get to internet FROM your computer. Most of the time you end up says "yes to all", that's not we don't have the tools but most of the time we don't use them properly.

More over like I said before, security uses layers, any manufacturer can't do all the job for you. If you want that, you want to externalize, and even then if you look at your contract you will see a few lines saying that the provider can't be hold responsible for some things if he did its best.
Google is a good indicator for subject interest, security returned me 559 000 000 results.

For metrics, there are a few guys doing some. There are plenty others of course (including every antivirus brand out there) but here are some examples.
CLUSIF (those who did MEHARI risk management toolbox), my favorite security report but in french (didn't find english version) : http://www.clusif.asso.fr/fr/production ... t-2014.pdf
CISCO : http://www.cisco.com/web/offers/lp/midy ... ode=502656
Checkpoint : http://www.checkpoint.com/campaigns/201 ... ty-report/
And of course Gartner always has something interesting : http://www.gartner.com/technology/resea ... anagement/