> If you run your firewall / router in a VM, that means there's a physical box hosting it which is physically plugged directly into the internet, unprotected by the firewall. I'm not saying it can't be done reasonably safely, but that's certainly not my preference.
What are you taking about? I run this exact setup and my host isn't "unprotected by the firewall." The port belongs to pfSense as the WAN port and unless I open something up to my host within the firewall rules, no one is getting access to it.
Are you sure you've been in the business for any length of time deploying openwrt?