[ZeroSolstice]

I'm not really sure its anymore of a security hole than any other device an end user would plug into their network. You can go on Shodan and look at hundreds of peoples devices exposed on the internet over IPv4. The same block in/all could be deployed for IPv6. I don't think most residential ISP's are concerned with protecting end users networks as they are trying to be mostly net neutral.

On the side of hospitals I would think most IPv6 allowances would at a minimum be managed on the edge firewalls which would be a separate device than the ISP's hand-off, host based firewalls aren't a requirement. An assumption on my part but I would doubt for those transit connections the upstream is just "turning" IPv6 on without some co-ordination. Admittedly, I don't know a lot about how hospital networks are run but i'd imagine some MSP involvement for smaller locations, possibly.