Re: Good
"WiFi security has a long track record of being terrible"
You really need to add "using pre-shared keys".
If you are running a VPN server, use RADIUS and run one of the EAP solutions (EAP-TLS is recommended) as it allows you to rotate your session keys which significantly limits the available wifi attacks. And allows you to avoid any VPN packet header overhead issues.
It's not quite as secure as the highest security VPN options (limited to AES128 but no PFS options) but should exceed most requirements. WPA3 adds perfect forward secrecy (PFS) and protected management frames which should provide a small bump in security, but I suspect it opens the way to WPA4 for AES256 with further improvements given how common AES-NI offload hardware has become.