The security folks will say...
Bit of a tricky one, tbh.
While most storage appliances aren't literally incapable of running external code, they almost never do. They're rarely logged into. I *can* SSH onto my Netapp and run code on it... but I don't, and even if I was doing so, the code would almost inevitably be supplied by Netapp themselves and the SSH session is password-protected and requires a priv elevation to do anything invasive. We're talking about a once-a-year window of opportunity for the attack, rather than a daily occurrence as with a general-purpose OS.
Risk is always chance*impact, and really, the chance of exploiting meltdown/spectre on a storage appliance is orders of magnitude smaller than on a general-purpose OS. The attack surface is effectively tiny.
On the other hand, if one DID manage to get me to run the code, the nature of the appliances (always on, with security and detailed stats barely monitored) means that bad code could run undetected for months.
With HCI, on the other hand, there's really no argument - patch it, do it now, and don't try and make excuses.