[assuming you're using best practices etc] having your users log into a centralized VPN means that you've got all your different on-prem/DC services and services all in well-designed tightly-controlled VLANs with pinhole access network ACLs between them. additionally, you've got your VPN users in tightly-controlled role-specific VPN groups in their own IP pools that are again additionally tightly-controlled via network ACLs. all of this takes time to setup, run and monitor. unless you run a tight ship with automation helping many of these steps and layers, it can be a logistical nightmare. maybe that's GP meant.