The worst example is the old version of Samba, the most used service.
The version in firmware v04.05.00-342 is 2:3.6.6-6+deb7u1
The latest version available by apt-get with the installed Debian repositries is 2:4.2.14+dfsg-0+deb8u9
CVE-2017-7494 (24 May 2017) security warning states that versions 3.5.0 to 4.6.4 contain a well known priviledge escallation vulnerability. Version 4.6.5 was released June 6, 2017, yet WD firmware v04.05.00-342 was compiled 6 August 2019 without that fix.
Surely WD has heard the “Internet of Things” scare? Here we have a Debian system in volatile storage (unlike the dreadfully insecure Nest devices) which has the obvious potential for attack yet good potential for timely patching.
v04.05.00-342 contains Linux kernel v3.2.26 #1 SMP Thu Jul 9 11:14:15 PDT 2015 wd-2.4-rel armv7l while almost everyone is using kernels v4 or v5.