No, you are now going the 'glass half full' road while in reality the glass is still 90% full.
No, just pointing out there is no magic here, and obvious false sense of security. It is true that DHCP+DNS is probably two orders of magnitude easier to do right and verify than the whole stack, but temptation to use readily provided example without verifying it is high, especially given the advice (e.g. in my post above) that using W5500/W6100 is really simple.
Besides, separation alone isn't nearly a sufficient level of protection. If the chip offered TLS,
then that would be pretty significant, but because it does not, attacker can still use malformed payloads to trigger bugs in firmware. The attack surface is smaller, but not by orders of magnitude.
For a complete safe and secure implementation, you are still at mercy of libraries like mbedTLS, integrating them right, and doing your own code right. I claim that Wiznet chip does not offer
significant improvement in time-to-market. If it feels like it does, you are very likely overlooking something and relying on the false sense of security it offers.