NAT doesn't protect you from security problems, it just makes it harder to connect directly to you, requiring an intermediate exchange that is on a accessible server, resulting in more points that can be compromised.
It reduces, rather than increases security, since now the communication can be compromised by a security hole at either end (and NAT doesn't stop the machines behind it from being compromised) or at the exchange intermediating between them (which, most likely, neither party has any control over or detailed knowledge of the security practices in place on.)
And major ISPs are deploying IPv6 now: no mandate required.
"requiring an intermediate exchange that is on a accessible server"
Exactly. So the onus of security is pushed off solely onto the centralized intermediary. In my example it's the Skype servers.
They can very easily firewall and filter all the connections. They can have a much stricter filter then what you have on your computer. (ex: packets have to very strictly conform to a certain standard generated by the client side program)
Centralized servers are also more secure because you don't have any access to the server code and it becomes virtually impossible to look for exploits.
Also if any bug IS found, then patching it is trivial b/c it's at one central point. If worse comes to worst you just shut down the server and now all your clients are safe.
No, the onus of security isn't pushed off on to the intermediary. The communication can still be compromised by compromise of either endpoint. The intermediary is an _additional_ point of failure.
With P2P communications between Ann and Bob, a compromise of Ann's machine or Bob's machine compromises the communication.
With NAT preventing P2P communication between Ann and Bob and requiring them to communicate through intermediary Charlie who is publicly accessible, compromise at Ann's, Bob's, or Charlie's location compromise the channel.
Systems can be compromised without hosting publicly-visible servers, as has been demonstrated in every remote browser-based exploit ever.
So, Charlie's system may be more secure than Ann or Bob's systems, but that doesn't matter because it doesn't _replace_ Ann and Bob's systems, which are still part of the communication channel. More points of vulnerability always means less security, even if the new point of vulnerability is, considered alone, more secure than the most secure existing node.
It reduces, rather than increases security, since now the communication can be compromised by a security hole at either end (and NAT doesn't stop the machines behind it from being compromised) or at the exchange intermediating between them (which, most likely, neither party has any control over or detailed knowledge of the security practices in place on.)
And major ISPs are deploying IPv6 now: no mandate required.