There have been quite a considerable number of router vulnerabilities over the last year or so.
UPnP is a security risk itself, it's much better to close off all ports and manually open the necessary ones, but I suspect most people would be annoyed by having to do that.