Yeah, sure, but (a) then those problems potentially also affect the VPN endpoint, so it's still a trade-off (b) much of the complex protocol machinery often is behind the authentication barrier, so the risk of just exposing the port to the public isn't necessarily that big, and (c) a firewall doesn't necessarily protect your vulnerable service, often there are browsers on the inside that an attacker could use to access those "protected" services.
My point isn't that blocking off ports at the firewall is always pointless, but that it's usually a trade-off, and keeping a vulnerable service running behind the firewall can still be a risk, and many "hacking attempts" are just irrelevant if you follow general best security practices, so it's pointless to do anything specifically to prevent them.
My point isn't that blocking off ports at the firewall is always pointless, but that it's usually a trade-off, and keeping a vulnerable service running behind the firewall can still be a risk, and many "hacking attempts" are just irrelevant if you follow general best security practices, so it's pointless to do anything specifically to prevent them.