alt Hacker NewsClient isolation is helpful in the real world, but it's yet another band aid for the deeper more fundamental problem.
If a device is insecure when placed directly onto the Internet with no firewall, it is insecure. Full stop. Everything else is a hack around that fact. Sometimes you have to do that since you can't fix broken stuff, but it's still broken.
Just like it isn’t normal to buy one UPS per server, it is sensible to have one more capable firewall for all your servers, even if it does put you in a M&M situation.