1) downloading Windows exe files from Chinese forums
2) the USB storage provided by network card can still contain malware,
3) or can be accidentally booted from
4) it has universal USB controller, so can become any HID device: keyboard, mouse...
I don't know of any modern systems that will execute anything on a newly inserted drive, nor boot from an external drive in the default configuration.
So we are missing a couple of things. First, a vulnerability in the OS/system. Second, an implementation of that vulnerability in a device like this.
Should this design be phased out? Perhaps. There is relatively little difference between not populating the flash memory part of the board and a proper network-only implementation.