keep in mind a VPN gives access to the whole network, a port forwarded only gives access to the NVR/Camera as most NVR's will be connected to the lan to allow local access.so by disabling upnp and other cloud features to allow easy access to the cameras and correctly securing the cameras with good password practices keeping the firmware updated and only opening ports required for the remote access can be more secure that a PPTP vpn
so if you look at hikvision the only port required for the mobile app is 8000 in default (this port can easily be changed to avoid people scanning for the default port), quickly looking at the "privilege escalation vulnerability" the hack require few things a default account access to a camera and access to port 554, so only allowing access to the required port for the mobile app would not allow the attack, but hacking the PPTP VPN or getting a reverse shell on a windows box would also the hack requires vulnerable devices
the other hik hack was more down to installers not changing defaults, opening every port mentioned in the manuals. I.E bad practices.
remember if you don't need it don't open it
i see a lot of routers were the installer has opened pot 80,443,554,8000,25,21,22 and a 1xxx and the customer is only using the mobile app.
so as a lot of people on here will be CCTV installers and not networking wizards there is a balance between a correctly configured CCTV install using port forwards or using a PPTP VPN, you really need to look at the whole application and what would be the best solution for the End User, good practices, password management, firmware updates, correctly configured port forwarding may be just as secure.
port forwarding is not the daemon people would like to make out though VPNs (not pptp) are always recommended over port forwarding.
try googling "is port forwarding safe" there are a lot of opinions out there
