You have to understand all decisions in regards to security come down to how two areas that are assessed, risk and ease of use.
Risk: is measured in two ways, how likley something is to occur and if it does occur how bad is it. If a risk is low and I consider the BDP behind a NAT to be a low risk from external attack, then there is little need to put in protection. Your BDP being broken in remotely, not likely, in the off chance it is there are way to protecting your data(by limiting permissions as outlined previously). Attack locally, well then you have bigger issues then your music being at risk. If something is at risk an attacker is more likely to mine network traffic for banking and other financial data or something to black mail you with. Or it's someone you live with, if that's the case what's stopping them from just smashing your hard drives, nothing.
Any additional security would just potentially make the system more difficult to use.
In regards to our lack of encrypting passwords stored on the BDP, as a former security consultant, it's a bit of a waste of time. The software needed to decrypt the encrypted password must be stored on the same system in order to use the encrypted password. If the system is compromised they already have avert thing they need to decrypt it anyways. What's the point? The only way to protect those passwords is to not store them in the BDP at all, this would result in the user would have to enter the password each time the BDP was turned on or lost connection.
Because of this, this is why you would create credential that only allow access to the files needed and would limit there access. In. Your case you would create a user, with password on your NAS and give it read only access to the files. You would then use these login credentials with the BDP to access your music share. Again the risk of this ever occurring is incredibly low, that you would consider the consequences before proceeding.
Why we don't lock down the BDP's firmware, we don't want to. We want the firmware to be open and available to all, it's that simple. Besides even closed systems are broken into, so what's the point? Look at apples iphone, apple employs thousands of engineers and the first iphone hacks were release within months.
....
Written on an iphone while on a treadmill