Stateless firewalls are the core problem
Most so called stateful firewalls only look at TCP state so if the packet says its not new, it gets handed off through the firewall. Things like VPNs and VOIP tend to use stateless protocols so most firewalls don't do a proper stateful firewall with those packets. Most VPN software inserts packets on the trusted side of firewalls so there will be no end of security issues. Add in the fact that nearly no one checks for IPv6 even though it is on for nearly every bit of hardware around these days mean the old days of Untrusted/DMV/Trust network design was obsolete two decades ago. A modern firewall must be truly stateful (based on its own idea of state, not bits in the packet) and zone based (using names for groups of interfaces no matter what the ip addresses or vlan) or else these issues will keep showing up.