Think of network security like physical security. You want layers upon layers of protection. The more secure and capable each of those layers are the more protected your core network is. If you have good quality doors and locks on your house that is certainly good, but if you live in a gated community with staffed security in addition to those doors and locks all the better. If you add an alarm system and some dogs that can increase security even more. If you make sure all the doors and windows are locked and the alarm is on when you leave that increases security as well since inactive security is no security.
Network security is much the same way. You can have a fully featured Firewall that can ignore traffic based on country of origin, while not perfect it will greatly reduce attacks from countries that have no business talking to your network. A VPN can be configured with extensive security, for example x.509 certificates are an excellent way to secure a VPN connection. They are essentially a digital ID card that must be shown to the VPN server for it to talk to you, because of how they are designed they are extremely difficult to bypass. Complicated passwords, more accurately pass-phrases, can make for substantially increased security. Two factor authentication is an order of magnitude more secure as you need not only your password but also a short duration, usually numeric sequence, code that has a usable lifespan of 30 to 60 seconds. Often these days you can install an app on your smart phone like Duo Security which allows the ongoing generation of two factor codes. Duo Security is supported by numerous companies such as Microsoft for Outlook.com and Lastpass.com.
By having your cameras connected only to your PC or NVR and having no direct Internet access themselves you can further limit the possible vectors for attack.
The underlying issue revealed in the original linked story is that people are lazy. People will fight against having complicated passwords, people will fight against having to use two factor authentication, people will fight against having to do steps they don't think are necessary because they don't understand the gravity of those steps. IT people may not have the time or the resources to educate people on how important these steps are. The IT people themselves may not even know that these steps can be important, not every IT person is a fully capable professional I am sorry to say. The result of all these factors and more is that the computer security, particularly at Government facilities that do not specialize in technology, can be terribly lacking.
For example port forwarding is suggested almost universally as the way to grant access to your security cameras when you are away from the network with the cameras. This does indeed grant remove viewing of the cameras and is able to be setup with ever increasing ease. I would bet that 90% of security camera systems setup in the world with remote viewing enabled are using port forwarding. Usually port forwarding allows the entire Internet to talk to those ports, no country specific traffic blocking is taking place. The cameras, the NVR, or the PC that the ports forward to can have security flaws or builtin admin accounts that cannot be disabled, they may be susceptible to exploits in their OS. If the password on the camera DVR is still password...*sigh*.
People often say "I don't care if someone can see my camera feeds so I don't need to bother with a VPN..." while this might be true these people don't care about someone seeing the camera feeds they are overlooking a significant fact, NVRs are computers. NVRs have processors, RAM, hard drives, operating systems (usually some Linux/*nix derivative) and the manufacturer probably isn't adept at building hardened OS' for exposure to the open Internet. There could be countless exploits and flaws exposed on that NVR which in turn is exposed to the open Internet by port forwarding. Even cameras have operating systems on them and can be riddled with flaws. If an attack can gain access to the OS by using exploits they can potentially install malware or command the device to participate in a DDOS (Distributed Denial Of Service) attack. They could use that compromised NVR to infect your other devices with malware. This is why anyone who knows anything about network security says VPN only for remote viewing. By using a VPN only AUTHORIZED and AUTHENTICATED devices may speak to the NVR/PC/Cameras in any way.
Most IoT (Internet of Things) devices are built for convenience and quick production time. The people who build these devices may well be quite smart, but unless they are versed in network security they are unlikely to build a hardened secure device by chance.
Port forwarding is like leaving for work in the morning and leaving your garage door open. Sure the door from the garage into the house is locked as is the front door to the house. A person who is walking by can just walk into your garage, yeah there might not be much of value in your garage so they can help themselves. But you are forgetting that the door from the garage to the house is nowhere near as strong as the front door, nor are the locks as good. Since you have no alarm once this person gets thru the door from the garage into your house they will have the run of the place for hours.