TOG
Lovely terminology in this business isn't it
Only the other day I was explaining to my girlfriend what Back Orifice is.
None of the stuff you list will get in *unsolicited* through a NAT router, because NAT hides the rest of the system behind the port translation.
If you are already running BO then you are stuffed. You may as well run PC Anywhere with no security and tell everybody...
People can mount DOS attacks against the router - fine if they want to waste time. You aren't microsoft.com so why worry?
What will get in is stuff incoming in response to a request from the inside; e.g. when browsing an infected website. Yes, you could config a firewall to block the obvious attacks there but even micro$oft will have patched the obvious holes like that long ago. What you can't do is config your firewall to inspect every downloaded JPEG to see if it has a malformed header - a fairly recent back door into windoze.
Some routers have known back doors. Drayteks do expose their HTTPS config port to the WAN (even when remote admin is disabled; a known bug which they haven't fixed yet) so if you left the password at "admin" there's a way for an outsider to reconfig your router
To the average punter, firewalls are a waste of time. Every 5 mins the stupid thing pops up saying "application XXX wants to go outside, yes/no?" and if you click NO then you can't even print to a local printer, can't do lots of things. Adobe Acrobat can't scan for updates and hangs for a while before it gives up, etc. It isn't worth the hassle. Half the popups are pretty obscure.