Rust isn't magic. And you can write CGIs in any language. Shouldn't we also ask why are they using their own web server? or why a company with millions of devices deployed has done little testing?
There is nothing wrong with CGI. It's simply a standard to forward a request from a web server to another application using environment variables and stdio. Generally, you want your router routing, not wasting CPU and memory running admin applications that are used less than once a month.
CGI is still great environment for simple webapp on embedded device. Using Rust is normally overkill and increases complexity. Python/PHP should be enough.
Let's not going to that debate. It's a good start to improve security postures, regardless how you spin it.
But more importantly, my point is why are they doing CGI at all?