Suppose you have a standard database backed website. With his procedure the database would wind up on the internet, exploitable by anyone who knows of a security flaw in it. Under standard operating procedures you'd have a firewall which the web servers are accessible to, and a second firewall that allows the web servers to connect to the database but for nobody else to. Now if someone on the internet knows of a problem in your database software, it is not easily exploitable.
No. With his procedure the database would be properly configured to listen only connections from local network or localhost. So it wouldn't really be any more vulnerable than if there was a firewall protecting it.
His point in my understanding is that you should harden your servers, firewalled or not, and to hardened hosts firewall doesn't add a lot of value anymore.
In an ideal world where your OS has no vulnerabilities, your application stack has no vulnerabilities and you never make configuration errors I would agree.
However, as far as computer security goes it is very far from an ideal world.
See ghshephard's comments about "Defense in Depth" above.
Suppose you have a standard database backed website. With his procedure the database would wind up on the internet, exploitable by anyone who knows of a security flaw in it. Under standard operating procedures you'd have a firewall which the web servers are accessible to, and a second firewall that allows the web servers to connect to the database but for nobody else to. Now if someone on the internet knows of a problem in your database software, it is not easily exploitable.