Have heard this from several Appliance suppliers like Kemp Load Balancers, "its a closed system that does not allow the running of any user code so is secure" so does not need to patched.
Seems a risky stance until you think about it.
Is your storage system the weakest link in security of your data? I would imagine the unpatched Windows box that hosts the data would or a user giving up there credentials to phishing be a far easier mark then the storage system to exploit.
Storage is likely to be in the last 2 or 3% of security patching.