UPnP has covered a huge percentage of use cases that actual users care about, and those who it doesn't cover are often able to do their own customization.
I used to have it enabled long ago. It's insecure. Random cheap devices will open up ports with upnp without the user noticing. It doesn't work that well either, cause hosts will conflict on ports. P2P applications have better ways to establish connectivity.
How can both be true at the same time: It's insecure for random devices to be able to open up ports, and applications don't even need to open up ports for P2P communication?
If a random device/application wants to insecurely communicate with somebody/something, it will find a way, I agree on that.