You usually still have to punch with IPv6 as there is usually a stateful firewall in the way. You just get 100% success vs the 80-90% you get with V4 (and getting worse as CGN gets more common).
This is correct. It's very annoying for any p2p like application, because the punching is a coordinated and time sensitive dance that just circumvents particular firewall bs. The firewall approach comes from this heavily flawed idea of the client initiated model of communication, extrapolated to client=consumers and server=service providers. It's just awful that the majority of the nodes on the internet aren't even reachable by default.
Anyway, it would be much better to leave the socket APIs to handle this, possibly with OS safeguards and privileges. Writing p2p applications is analogous to being constantly protected "for your own good" by a guardian. /rant
It's used like that because for a long time that approach worked. Users are terrible at securing their own machines and will click yes on anything just to get a thing they want and so putting stateful firewall allowing only outgoing connections was very effective measure.
Much less relevant when now even windows comes with half decent, reasonable default firewall out of the box. Then again "user clicking allow button till it works" is still a problem.