I agree that the VPN can be combined with other tech, such as layer 7 tooling to get best of both worlds (VPN for layer 4 data, layer 7 tooling for layer 7 data). What NIST recommends is shifting away from VPN-only infrastructure, and if one were to reevaluate the modern digital infrastructure stack for the current threat landscape, probably sparingly.
"Remote enterprise assets should be able to access enterprise resources without
needing to traverse enterprise network infrastructure first. For example, a remote subject should not be required to use a link back to the enterprise network (i.e., virtual private network [VPN]) to access services utilized by the enterprise and hosted by a public cloud provider (e.g., email)."
Right, VPN-only is bad. But VPNs are still needed because getting every last application to use TLS or whatever is a non-trivial project. So no, VPNs aren't bad, VPNs are only bad when it's all you use. We don't have to keep going on and on around this. It's very very simple.
You've misunderstood the quoted paragraph. They are saying that services that aren't on the corporate network behind the VPN or PEP should not require being routed through the corporate network to access, ideally.
Page 22 of https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...
"Remote enterprise assets should be able to access enterprise resources without needing to traverse enterprise network infrastructure first. For example, a remote subject should not be required to use a link back to the enterprise network (i.e., virtual private network [VPN]) to access services utilized by the enterprise and hosted by a public cloud provider (e.g., email)."