We rarely tunnel video over VPN, but I always set up a VPN for remote support. OpenVPN TAP connector is my prefrence, as it allows the use of camera discovery utilities that rely on non-routable protocols (It would be a terrible choice for streaming video, however - use TUN).
If the VMS streams video via TCP (most do), this further complicates life as that should push you towards a UDP based VPN transport. A UDP VPN requires quite a bit more work, as you are then required to set up port forwarding at both server and all client locations (or use UPnP). I have broken the no-tcp-over-tcp rule before with success, but I have also had it fail miserably (almost always when something really important is happening and you NEED to see the video).
I think the risk of port forwarding is being overstated. Has anyone ever heard of a network compromise that occured because ports were forwarded for VMS access? (And no - I am not saying that it CAN'T happen).
I'd say the appropriatness of port forwarding vs. VPN depends entirely upon the risks associated with a breach (no port forwarding into the local nuclear power plant, OK?), vs the opportunity costs associated with the added complexity a VPN brings.