Cisco, as do most other companies/experts etc., recommend that NAT should not be seen as a security practice but rather an IP address preservation issue.
The danger is with the inbound access given.
If you have a web server that you want internet users to be able to connect to it really doesn't make that much difference if you present it on a public IP and it has a private IP or whether it has a public IP. Key thing here would be that the web server is on a DMZ.
However with rpivate addressing on all your clients they are not open to connections from the internet unless they make an outbound connection first. But with public addressing you are far more reliant on the access given through the firewall. A rule that is slightly more open than intended could have unforseen consequences.
As for IP spoofing, well yes you could spoof the source addresses and this could be a concern. It is still relatively tricky to spoof a full blown TCP connection but obviously the idea of soomeone spoofing a UDP SNMP set message telling their core router to shut down is something you wouldn't want !
But all that said put simply you shouldn't rely on NAT for security ie. in the example used above for SNMP you should have a non-standard SNMP string and an access-list that limits which IP addresses can send commands to the router.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...