You should be able to touch config/disable-php-security for each of the sub-sites then tun `sudo sympl-web-configure, which will disable the open_basedir configuration, and should solve the issue.
It’s because the actual target of the symlink isn’t in the authorised path, so PHP isn’t allowed to actually read the files.
It’s a known ‘feature’ at the moment, but when sympl-web gets re-worked, it’ll take these into account when configuring the PHP security.