3.0.1 (Build: 4350) is the current auto-update version. That update appeared within a couple of days of Sept. 26, but that seems to have been a release to fix some other problem. It was pretty quick after the previous auto-update which is why I was worried. 4350 doesn't need (or, perhaps, want) updating.
I interpret the OBIsupport response as meaning that the 202 is using busybox sh, not bash. I do know it is using a full version of udhcpd, both because I remember this from last time I examined the firmware and because my previously posted udhcpd hack to make the DHCP server handle host names still works. (That hack is horribly like shellshock, but never mind.)
They don't really need a big shell like bash because most of the software is in the megaserver, and I believe it is the megaserver which is normally updated. The megaserver implements all the VOIP support *and* a proprietary web browser, so even if they used bash the standard web browser (HTTP header) shellshock exploits probably wouldn't work. (I know it's a proprietary web server because they do not release source code - if they had copied Apache or similar they would be obliged to release the code of the megaserver, but I've never been able to locate it.)
John Bowler