a pull would be safer than a push, in terms of a direct attack. as you've surmised, if legitimate traffic can get in, then illegitimate traffic can also. however an undetected payload is still a problem, regardless.
In the past year I've made the mental "switch" from prioritizing defense AGAINST infection, to prioritizing mechanisms to recover FROM infection; techniques of getting malicious code onto systems are getting significantly more sophisticated to the point of it's not a matter of IF you're going to get hit, but WHEN. How do you recover from the inevitable has become more of my focus than it was in the past.
Sadly, I can speak from experience, of getting bit by a ransomware attack, and having it somehow (still haven't figured out how it did it) encrypt my Exchange Server databases, but nothing else. I recovered totally though.