Good points, but...
Most places I've worked on had the VPN connections handled through the gateway/router/switch so Users only had to manually connect when they're out of office.
Though VPNs are more secure because they're encrypted, hackers will find a way to defeat that encryption, like they say, when you build better security, you make a better hacker.
AD is nice as a convenience, but shouldn't be implemented just out of a concern for security. I've seen Malware infect a user's profile so it got transferred to each and every computer they logged in with.
For some smaller business networks(10 nodes) I don't see the value in forcing my clients to buy an expensive server capable of AD.
