Because you as a web master would keep it all backed up and patched up. You also would not use any OS that is no longer supported. That's XP and prior for most since there are unpatched issues there.

As to the VPN tunnel, you as a web master know that every extra software/tunnel takes a speed toll.

As to what would be the attack vectors, that is not possible to answer here. It won't fit even if the host OS and such was known as well as there are new findings every few days it seems.

--> What's confusing about your post is DMZ and port forwards. I use or the other. Both would be odd and could break the system.