UPnP is a security risk (as is forwarding all UDP ports to a single device). Nintendo should set up STUN servers so the Switch can do UDP hole punching.
Enabling UPnP on your router enables a malicious app to permanently forward ports from the outside to the inside. The malicious app could also forward ports to other devices on your network. For example, installing a bit of malware on your laptop could set up a port forwarding rule from the internet to your NAS's web interface.
UDP hole punching via STUN requires continuous work on the part of a malicious app to keep that port open. Work that could be noticed much easier than a rogue UPnP-using bit of malware. And it can't open ports to other devices on your network.
