Re: faulty "role-based access control evaluation"
My reading of this is that on IISR800's/CGR1000's you have the option of installing an add-on server module. The RBAC issue is around a user with access to the router potentially having access to the guest OS without the correct privilege level (from the linked vulnerability notice: "Exploitation of this vulnerability could allow the attacker to successfully log in to the Guest OS using a low-privileged IOS user credentials."). The intended design is to only allow access with level 15 privileges.
While I'm not disputing it is a bug, guest access to the router is likely to mean a user with restricted access rather than an unauthenticated user - knowing how Cisco's AAA system works and the ability to assign roles to privilege levels, the "only priv 15 should be allowed access" looks like an exception.
I would have thought restricting command sets would have been a suitable workaround, but Cisco doesn't list this as an option and I don't have access to any of these devices to test further.