There's a significant difference which my original message hints at and is subsequently clarified: there's still an intermediary. If there's an exploit in the service, like this case, it's still not directly exposed. The intermediary device is still sitting in between and won't allow any old traffic through without separate authorization