Because you as a web master would keep it all backed up and patched up. You also would not use any OS that is no longer supported. That's XP and prior for most since there are unpatched issues there.
As to the VPN tunnel, you as a web master know that every extra software/tunnel takes a speed toll.
As to what would be the attack vectors, that is not possible to answer here. It won't fit even if the host OS and such was known as well as there are new findings every few days it seems.
--> What's confusing about your post is DMZ and port forwards. I use or the other. Both would be odd and could break the system.
I have a webserver on a local dedicated pc. The asus rt66ac is hosting dmz and portforwards to the local pc. In addition im using OpenVPN on the connection.
Question is, is it safe to use dmz as is without vpn. What would be the attack vectors? How can i prove that the vpn tunnel is being used, since it is working just as good without the vpn?!?