In my experience that approach actually ends up leading to weaker security. When you have 5 or 6 security layers it's not clear which ones are important; people get confused about which parts can be safely bypassed and how, and you end up with a swiss cheese where sooner or later all of the holes line up. Having a really clear distinction between public and private services works better.
In a way yes. I'm sure everyone here has heard "This service can only be accessed on VPN anyway so we don't need authenticated access or care about security in the service itself".
