You will be forwarding a specific set of ports directly to the phone system, literally tens of thousands of systems are setup this way... There is no appreciable security concern as long as it's done properly.
I usually tell customers, depending on their Internet connection, that 4-6 phones remotely via port forwarding is fine, much more than that needs an MBG. That said, I have customers with 20+ phones remotely via port forwarding and zero issues. I have never seen, nor heard from another tech anywhere (and I talk to a lot of them), of a security breach via a remote MiNet phone or it's connection.
What exactly does an MBG give you over port forwarding? Capacity, management, some level of security
Is port forwarding as insecure as it sounds? No, there are no appreciable security concerns with MiNet phones (SIP is a different story though)