Part of the problem is that these devices tend to have custom operating systems and custom builds of webkit, both outdated or forked from outdated code. As a result they haven't benefited from the full set of security audits and improvements you get if you're running Safari on an iPhone, or Chrome on Windows. A couple PS4 attacks rely on the fact that the PS4 sandbox allows access to BPF from the content process, for example - that's an odd choice and I doubt it's one you'd see in the sandbox of a consumer web browser like Chrome or Safari on a desktop PC. It's a Sony oversight.
does the threat model require anything more? i haven't really been exposed to consoles since i was a kid, but i don't get the impression that end users do anything terribly sensitive on them. i thought that whatever security existed was mainly intended to combat piracy. if the majority of the risk falls on sony, i don't really care how well they secure the device.
An attacker might potentially be able to get at your card details, since you need to enter them in order to buy stuff on the PS Store.
Also, the PS4 has social media integration, so it might be possible to access your accounts somehow.
(I'm not saying that an attacker definitely can do this; I'm merely pointing out that there are potentially some bits of private information on the PS4.)