OK i'll give you it's be another attack vector but really anything badly writen/configured would be too and if you mis-configure/mis-manage the VPN server encryption it worthless
proof by the fact that I've found client keys and certs in an apache directory listing at that point you're screwed