Thanks, that's a good writeup.
curl seems actually troubling, Freenas is fetching updates from freenas.org, so it's acting as a client. And attacher would have to install a man-in-the-middle attack for that to be a real concern, or hack freenas.org (in which case I'm hosed anyway), so it's a somewhat complicated attack.
The rest - meh.
But... I'm pretty sure we're overlooking details, and each detail could be a security hole. I.e. if an attacker has cracking Freenas on the agenda, he can say "pkg audit -F" and start toying with the CVEs; I'd expect a dedicated team to get something running within days or weeks (and maybe even hours).
Given that a competent analysis would take days, it's probably better to just plug the holes, relevant or not.
Which brings me to the question: Is there a chance that Freenas will switch to automatic security updates anytime soon?
Given that Freenas is currently not a target, and unlikely to become a target anytime soon, it's okay for me if this takes a while, but I wouldn't want to wait indefinitely for that.
Say, a handful of months would be fine, a year would be what I'd expect, multiple years would make me think it's not going to happen until the first attacks succeed and that would be too risky for my use case.