Yes. All VPN's have mechanisms to prevent replay and session hijack attacks as well as their own independent authentication mechanisms. However, it is possible to disarm or disable such features, so don't assume that they're functional unless you check the settings.
Those who would give up essential security to purchase a little temporary convenience deserve neither security or convenience. (Apologies to Ben Franklin).
Possibly. More likely that nobody cares. I'm not a security expert so I only have a passing interest in such topics.
Nope. Just the Wi-Fi hackers hang out here. On weekends, I'm more interested in breaking into networks than securing them. During the work week, it's the other way around.
You might also find this interesting reading:
"It was possible to bring the client from a secure EAP/TLS network to an insecure one without any warnings from the operating system."
Well, that's an article on extending the all too common phishing attack for banking sites, where the counterfeit site maintains a fake SSL server, and is able to somehow (not described in the article) break multiple authentication and key exchange mechanisms. The article is also theoretical, intentionally incomplete, and reads like a sales pitch for the authors security services company. I'm not qualified to judge whether the proposed extensions to phishing are probable.