Indeed but I wasn’t trying to warn you about that specific REST API exploit, rather I was cautioning you about the one that will only become known two minutes, two months or two years from now and who knows what it needs to be exposed to be exploited… perhaps one of the ports you have exposed :)
You might want to consider the commercial version of FreePBX (and even the corresponding supported hardware if you like), I’m not allowed to mention it by name directly due to crazy overzealous enforcement of Rule #1 I will never understand. In any event, having used both I find it is quite a bit nicer than FreePBX because it comes with so many additional and useful modules although the HA failover capability is an extra cost option but I think it’s also a “hands off” or automatic thing so if the primary system fails the second one takes over without someone having to do something to make that happen.
The device you mention is basically the same thing but with a different skin that will take more getting used to, by using the commercial version of FreePBX you would basically have what you have now except a little more (but still totally familiar) and running on modern, supported hardware.
What you suggest will of course so exactly the same thing but have more of a learning curve.