There is no perfect security. Ever. A sufficiently determined attacker can and will succeed against anything you can do, given that sooner or later somebody involved will make an opsec mistake somewhere. Or the existing attacks against MD5, RC4 and SSL/TLS security — attacks including BEAST, CRIME Lucky 13, etc — will continue to be "weaponized".
Firewalls and VPNs only get you so far, and it's common for attackers to use a variety of attacks to try to breach those; to bypass the network security. So-called "spearphishing" tries to get somebody on the network to breach security for the attacker. The best VPN and the best firewall are worth nothing if you have Java lit in your web browser and the Java JVM sandbox gets breached (again), or if you receive and open a document that contains malware, for instance.
Facebook and other entities were recently breached using what was known as a watering hole attack, and that was only spotted based on detecting "odd" out-bound network traffic. The attack got around the firewalls and the VPNs and the rest of the security, and was active on the organizations' internal networks.
If you're securing nuclear secrets or large sums of money or exceedingly embarassing or sensitive data, then you definitely and certainly do need to focus on this stuff, and you're going to be spending time and effort and money on making your organization harder (emphasis on harder) to attack. But attacks will continue.
If you're dealing with a home network or a typical a small business network, then you just don't want to be the lowest of the low-hanging fruit around, and you want to avoid opsec mistakes such as open ports or weak passwords, and you don't want to give the good folks of the Internet reasons to attack you. You want to be not worth attacking, or not as "fun" and not as valuable to attack.
Even if your security is not attacked, a DDoS can still ruin your day.
As I've mentioned elsewhere, I much prefer using a VPN server in a gateway-firewall-router device — as VPNs and NAT don't mix very well — and I do use private certificate authority chains. But in terms of attacks? Keep your software and your security current, review your logs and your rules, DMZ any services you provide to "outside", maintain and verify backups — those backups can be your recovery path from a breach — and start looking at "odd" or "unexpected" outbound traffic, too. VPNs are just part of avoiding the mess of a cleanup.