From experience most NAS drives, cctv boxes are built cheap and dirty. They are often slow and the proud product of a shite company/software developer.

Bad actors are running scripts on their servers, automated looking for know exploits in pages, ports and software. They are actively scanning thousands of WAN facing devices a minute.

Web pages are often written with poor practices. There is little to no care for security but just enough to satisfy the end user.

Java script protected pages (may aswell just write the password on the page)

Usernames and passwords embedded into source code. Session variables stored in cookies in plain text. Vulnerable to session hijacking, man in the middle attacks, and more.

One device we pen tested a few years back allowed access to the settings page without logging in. This is due to a header redirect being incorrectly used. The page served the form and tried to redirect the browser. We just stopped the redirect. Changed the password and logged in normally. Potato Security at its best.

These devices often do not have any rate limiting or firewall, which means brute forcing is nothing but pure playground for a nice database of known usernames and passwords. GPUs are fantastic for brute forcing. The more you have the faster you can test usernames and password combinations.

If you must share file access. Setup a VPN. Tunnel into your network securely and then access your NAS.

Assume everyone is gonna get you.