You and others here are assuming that VPN provides you with at least some security. In reality, VPNs grow large and open and someone will inevitably bring malware in. Furthermore, people run untrusted software in browsers and VMs that is capable of scanning the VPN and exploiting vulnerabilities. There is no security in a VPN. It's as naked as public IPs.
As for the cost of host security, you have to consider the cost of VPNs too:
- VPNs complicate everything, because all computers inside them are effectively on a crippled, partitioned Internet. Staff that could normally just login via web interface has to fiddle with network settings. High-bandwidth apps need custom configuration to bypass the VPN in select cases.
- VPNs block cheap cloud services. They encourage deployment of poorly secured self-hosted services with on-going administration costs.
- And then there's the latency. People will setup star topology for VPNs, because it's simple and easy to control, but then everyone spends time compensating for the increased latency.
Sure, migration between security models is tricky, but migration to anything is always tricky.
As for the cost of host security, you have to consider the cost of VPNs too:
- VPNs complicate everything, because all computers inside them are effectively on a crippled, partitioned Internet. Staff that could normally just login via web interface has to fiddle with network settings. High-bandwidth apps need custom configuration to bypass the VPN in select cases.
- VPNs block cheap cloud services. They encourage deployment of poorly secured self-hosted services with on-going administration costs.
- And then there's the latency. People will setup star topology for VPNs, because it's simple and easy to control, but then everyone spends time compensating for the increased latency.
Sure, migration between security models is tricky, but migration to anything is always tricky.