Level3 routing issues?

Would it not also be a good idea/practice *not* to ever let a MS SQL
server (or *any* database server) sit on a network that is directly
accessible from the internet ? Having a firewall(s) in front of your
database server regardless of the type is pretty much common sense, right?

Its bad enough to be stuck having to run/support IIS and MSSQL in any
scenario, but letting MSSQL talk to the world just seems like asking for
even more trouble.

That depends on what you are using the server for - it might be
used by various offices around the world, or to interface
with other corporations platforms etc. Ideally this would be in
a secured VPN or at the very least be limited by IP address, but
MS SQL admins are not alone in the pretend everything will be ok
from a security standpoint.