ASR9001 is built on the 2nd generation of Ethernet line cards for ASR9000 (aka Typhoon line cards). We also have ASR9901, which has the same form factor as ASR9001, but it's built on the 3rd generation Ethernet line cards for ASR9000 (aka Tomahawk line cards). It would be better consider ASR9901 because of investment protection.
You are right in concluding that ASR1k supports some features that ASR9k does not support natively. On ASR9k data-plane features are implemented in microcode of a network processor highly optimised for ethernet frame processing, providing for much higher throughput compared to ASR1k. The ESP architecture on ASR1k provides for more flexibility in the data-plane, hence it can easily support more features natively.
ASR9k supports CGNAT in a multi-slot ASR9k chassis with an A9K-VSM-500 card. There's no support for IPSec on ASR9k, but MACSec can address many scenarios where data protection is required.
I suppose your decision over ASR9k vs ASR1k will depend on which types of interfaces you require and which features need to be supported natively.
Hope this helps,
/Aleksandar