I agree with you regarding all of the above, except for the DMA bit. That has to do with crappy drivers causing crashes. Without direct DMA you'd have horrendous performance issues. It is not a transistor count issue.
These days pluggable devices (SATA, USB) don't get DMA access. Only physical cards do (PCIe, etc.) -- again because of performance issues.
Some machines have had an MMU or equivalent device between peripheral and memory, to provide memory protection. IBM's channels did that. Some early UNIX workstations (Apollo) did that. But it has sort of disappeared.
Both FireWire and PCIe over cable expose memory via a pluggable interface. In the FireWire case, it's not really DMA; it's a message, but the ability to patch memory is there. FireWire hardware usually offers bounds registers limiting that access. By default, Linux allowed access to the first 4GB of memory (32 bits), even on 64-bit machines. (I once proposed disabling that, but someone was using it for a debugger.)
I don't know about IBM channels. PCIe root has the ability to restrict transfer to a certain range and depending on system configuration there are remapping registers that translate between PCIe address and host memory address -- which you can fudge with to remap things how you like.
Firewire, was basically external PCIe (before there was PCIe) and you would be able to do DMA and there was a proof of concept of someone using an early iPod to read/write host memory.
You can't with things like eSATA or USB. There is no DMA capability for the external device to exploit. The host controller (EHCI and alike) are the ones doing the DMAing. You can't write directly to memory with those. Of course USB is exploited by doing things like descriptor buffer overflows.
These days pluggable devices (SATA, USB) don't get DMA access. Only physical cards do (PCIe, etc.) -- again because of performance issues.