Greg -
The issue with port forwarding is that it opens a device up to a direct connection from random/unknown outside entities. Take the Hikvision Backdoor Exploit for example, the vulnerability there was so severe because it circumvented admin passwords/password strength and allowed anyone who could connect to the camera to take full control of it.
It would seem that the issue is not with port-forwarding itself but rather the security of the device that is targeted.
This is correct, if you keep in mind that overall device security is both a factor of how the device is setup and put online, and a factor of vulnerabilities and weaknesses hard-coded by the manufacturer. Sometimes, as Hikvision and others, have demonstrated, a certain amount of diligence on the part of the user/installer can be easily undone by system vulnerabilities.
A VPN on the other hand, by nature, drastically limits the ability for random people to connect to the device, limiting you to internal threats instead of external threats. A weak device on a VPN is still undesirable, but it is at least a massive leap forward from a weak device on a public connection.