Most NAT implementations have some weaknesses. First, usually a packet, which has a source address, which seems to come from inside the network, is accepted and routed inside.
This is, why one wants to filter such packages on NAT boxes.
Additionally, usually NAT implementations have some state machines or even heuristics for tracking protocols, which are not just simply NATable. Frequent examples for this are FTP, connectionless or encrypted protocols.
(to clarify: I mean masquerading with NAT here)
This often results in attacking vectors, how to fake a connection wich does not exist, and how to insert packages, which are accepted and routed inside.
NAT routers with sensible filtering usually provide a high level of security. The security then comes from filtering, not from NAT. This ist not a design flaw:
Masquerading with NAT never was meant to provide security - it was developed in the times, where people were getting short of IP adresses, to provide a solution for having more devices than "real" addresses in the Internet.
Yours, VB.