Anyone still running IBCM?

Is anyone using IBCM (internet-based client management) still?

Has anyone found a justification for the cost of CMG assuming you have a proper DMZ and a solid PKI to run IBCM? Anyone have any links to breach stories related to a (fully patched and reasonably run) ConfigMgr instance with IBCM?

All I find are generic "it's more secure to use CMG" statements with no examples of weaknesses of IBCM aside from the generic "it's always good to not host anything internet accessible yourself" spiel you always get from people selling cloud services.

Given a choice between certificate based AOVPN Device Tunnel (eliminates the concept of an "off network" device and makes IBCM and CMG irrelevant), or running IBCM, what would you pick and why?