When I was about 12 I was working on a PHP3 application, I had some issues with a MySQL query, and I pasted my code to pastebin (or whatever we used back then) and shared the link on IRC, the code included my database credentials.
Back then our ISP gave every computer a public IP.
The next thing that happened was that someone changed my MySQL password, and me being 12, I didn’t know how to change it back.
They made me beg for the password, to much amusement to the whole channel, and then they helped me secure it and taught me how to reset the password.
NAT would have saved me, but I wouldn’t have received a free, though a bit embarrassing, security lesson.
That's what the firewall on your router is for. NAT might also stop someone connecting, but it's not a guarantee. You can get given a public address and be exposed, you can find out your server actually does UPNP automatically and so is exposed, etc... a firewall is more explicit and a better defence.
That's a strange example. An unauthenticated server on a LAN wouldn't be exposed to the Internet any more than a network using NAT would be. You would need to explicitly configure your routers firewall to expose a local node, the same way you would need to explicitly configure port forwarding with a NAT based network.
I've see some argue that a hypothetically buggy router would somehow be less likely to fail if NAT was used but really, that could be equally said about bad port formatting defaults, which have in fact happened. Complexity is what increases the likelihood of bugs at the end of the day.
NAT is just an addressing hack, a weirdly complex way of indirectly routing to local addresses. It only influences what is written on the envelope, not how that envelope is processed at the post office.
Perhaps not in the high brow network security world, but in practice it really is used that way.
Who here has never launched an unauthenticated server on their LAN?