Every quarter, Microsoft's threat intelligence publishes the same data point in slightly different language: VPN infrastructure is a consistent entry vector for ransomware and intrusion, and full domain compromise frequently follows within hours of a single successful login. The pattern is so reliable that VPN exposure is now one of the first things a cyber-insurer asks about.
The practical problem with VPN as a security model is that it puts a remote user inside the network. Once inside, lateral movement is a question of credentials, not of breaking down further walls. The standard alternative — Azure Virtual Desktop with role-based Published Apps and Conditional Access — flips the model. There is no "inside" for the user to land in. They get a managed session, scoped to specific apps, with the device-trust posture checked on every connection.
Replacing a VPN is not a weekend project. It is, however, a project that pays back in reduced attack surface every single day after it ships.