It’s only bad practice if you don’t keep up on vulnerabilities/patching, don’t have any type of monitoring or ability to detect a potential breach, etc.
The nice thing about tucking everything behind a VPN is you only have one attack surface to really worry about.
That’s not true anymore. https://docs.fcc.gov/public/attachments/FCC-19-72A1.pdf