Re: True risk profile
This sounds like chicken or the egg.
IF YOU ALREADY HAVE SSH ACCESS (which, presumably you would need to run the exploit in the first place) then you certainly have access to move files on the targeted system. You don't need the Meltdown/Spectre exploit to access data at that point.
My point is that for most storage appliances, your risk profile is broader than the appliance itself. So, the cost/benefit of applying performance deprecating patches on a storage appliance needs to be carefully evaluated.