Ultimately we do need to secure our endpoint devices. They need to be secure by default. NAT and firewalls let us get away with insecure broken OSes and services for a while, but not forever, and they create the "soft underbelly problem" where once someone manages to hop your firewall everything is vulnerable.