This "just rewrite in Rust to have it be secure" is the new "just rewrite everything in assembly to have it be fast" that is popular with newbie programmers, CS freshmen etc, when they first learn about the various languages, but don't yet appreciate or understand the broader ecosystem implications...
I agree that lets-ASM has been wrong in most cases. However misguided in many cases it may be, in this context it's serving a more pressing problem than the lets-ASM mentality because there is a real security problem with most code that can be solved with different language+tooling and is only insecure because of historical popularity reasons like the rise of C in the 1980s.
If anything it re-enforces it. From the repo introduction:
The current state of the code is quite rough. It's not known to compile with stable Rust 1.0 (the original version was written well before 1.0 stabilized), it doesn't handle composite glyphs, the code isn't organized with Cargo, and it's basically not ready for prime time.
It should build with 1.0 since a recent update, but your other points are valid. That said, it's a PoC and kinda like a MVP. Granted this is from a domain expert, so the time it took Ralph Levien to code this is substantially shorter than it would have taken a beginner in the field of font rendering. However, it's easy to see that something like font-rs can be incorporated into Firefox in the future even before Servo is complete. It's already happening with image decoders.
To answer the parent's questions, which I unfortunately forgot to: if we translate Harfbuzz and FreeType to Rust, it won't take that long. See Dropbox's recent blogpost about their translation of Brotli's C code to Rust.