True, but in the case where stuff is making a connection to an external server, it's not opening up access for all and sundry from anywhere. So in that case, the risk is really only from accessing a compromised server - it's a risk, but a considerably smaller target for an attacker to hit.
With the sort of kit and issue here, there's a combination of things - uPnP on by default in the router, and the device using it to create an externally accessible target - which make the device accessible from anywhere in the world with an internet connection. Then add sloppy security & coding (one might suggest, not a care for security when coding - bolt it on afterwards) which exposes more than was intended, and hey presto you have a much, much more serious problem than a device that makes a connection to an outside server in order to create an inbound route.
An example of the latter might be LogMeIn. With that, the device inside your network maintains an outbound connection to the LogMeIn service and sits there waiting for a connection request. The only way to access that connection is to go through the LogMeIn service - the device isn't directly accessible from anywhere on the internet. I'm inclined to think that LogMeIn are big enough to employ someone with a bit of security knowledge - it certainly won't be as wide open as these sloppily coded devices.