Mango, you are of course correct.
Normally I try to keep everything as secure, update, and locked down as possible. But offhand, I think it was three years ago when i asked Obi about configuration, and part of the problem is that the Comcast "cablemodem and router" whatever you prefer to call it, has limited configuration options. Apparently you can only configure a very small range of connections, firewall openings, etc. to work with the Obi and vice versa. I don't mean to be vague--I just haven't touched that in a couple of years, since both parties told me "you can't change that" with regards to the default setups.
The Comcast/Motorola/Arris Surfboard certainly does allow for a firewall and that doesn't affect it working as a router. The problem is that apparently the same connection (hole in the firewall) that allows INCOMING calls to originate from outside, allows hacks to originate outside and enter via the same port. The Obi202 then sees incoming data packets the same way it would see all normal (unsolicited) incoming phone call packets--so you can't just say "exclude unrequested incoming packets".
The firewall is there. The problem is, the Obi has to listen to incoming requests from strangers, and apparently there's no way to better secure it. (I'd really like to be wrong about that.) If there was a way to tell the Obi202 "only take unsolicited packets if they originate from..." and give them a range specific to GVoice, that might do the trick. It wouldn't stop a DOS attack from taking the Obi out of service though.
And someone out there seems to be sniffing for, and attacking Obi devices.