Worth noting that "behind NAT" is not a security measure. Technologies exist that circumvent NAT to various degrees (and that's usually without malicious intent!). WebRTC is a famously annoying example of this where it's got tons of legitimate applications but has also been responsible for serious security issues, especially in earlier implementations.
The same set of tools exist with different names to punch the same sorts of holes automatically in ipv6 firewalls, so are ipv6 firewalls also not security measures?
I'm fully aware, it was mostly a "shorthand". In general it's harder to attac/access a computer that is not directly exposed to the internet and/or not listening on any port.
