NAT gives you a false sense of security

packets go through NAT, so traffic goes through NAT
attacks using malformed payloads/TCP headers go through

hiding address does not hide your identity
web cookies

NAT is a single point of failure
maintenance headache

UPnP is a complexity on top of complexity
no authentication par se
with UPnP botnet/shellcode can punch holes