UPnP is the next logical step to making things more user friendly.
After thinking about it a bit, I don't believe the security implications are of grave concern. Any software running locally could do the same thing. I can see the following cases:
Case 1: Malware is already on the system, and is able to open up the ports in the router itself, without help from Outpost 2.
Case 2: Other exploitable protocols are hosted on the machine. It's possible the port could be opened by Outpost 2, not closed, and then taken by another service which is exploitable. This is would mean starting a network service after Outpost 2, and that network service being configured to use the same port. This is rather unlikely, and almost implies the user doing this on purpose. Plus, if the user is starting another (exploitable) network service, presumably it's because they want some kind of network service. In which case, they'll want connectivity to it. So unless it was only intended to be a LAN service, which is configured to use the same port, and which they started after running Outpost 2, it's probably not an issue. Also note that most versions of Windows use the IANA ephemeral port range 49152-65535, while Windows XP and Windows Server 2003 (before a security patch was applied to use the IANA range) use 1025-5000. Neither range includes the Outpost 2 port of 47800, which means that port will never be selected at random by a network client. The port will only ever be used when requested explicitly. Now the NetFix client does use both port 47800 and ephemeral ports, but you'd likely only use UPnP to forward port 47800.
Case 3: The Outpost 2 network protocol is exploitable. In which case, don't use Outpost 2 to play network games, or fix the problem. Either you want to play Outpost 2 over the network, or you don't. If you want to play, then you need connectivity.
And with that said, if you're still bothered by UPnP, I'm sure all it would take is an extra if statement and an ini setting to disable it. If that's absolutely necessary though, I would propose a default of using UPnP, since that means people don't have to mess with the ini file or configuration settings, which is the whole point of implementing UPnP in the first place.
The purpose of the NetFix has evolved and expanded since it's first inception. It's scary to think back to what the first version was: A textbox to enter the external IP, which would then be written into the executable file as a hardcoded constant. You needed to re-patch every time your external IP changed. Primitive, but it worked. I think the EXE checksum verification had to be disabled for that to work.
The game list came much later, along with further patches to help with NAT punch through for some routers. I'm sure it had a few bugs though. I never really had a good environment for testing that stuff, and could never seem to get any conclusive data back in the logs from people who had problems. I probably wasn't logging enough. It was also a bit painful trying to get corresponding logs back from multiple people. A reporting feature might have helped, but would have taken much more work, and would likely raise some security objections from TH300. :p