What are your thoughts on the current state of Viptela's network security features? Do you believe they are good enough to allow direct internet access at the branch?

I'm a sales engineer for a large telco & MSP. We do a lot of managed SD-WAN deployments for our customers, however, the "standards" we use are quite antiquated and we are extremely slow to enable new features, platforms, and code. As of right now, I've been led to believe that the security features on the Viptela/Cisco SD-WAN platform are shit, and that they alone are not sufficient to protect internet-bound traffic at the branch. However, I've been doing some digging, and it would appear that the Cisco security features are not quite as limited as I thought...

With this in mind, I'm trying to figure out just why we're shitting on Cisco/Viptela as a branch security device. Is it because it's actually a bad platform, or is it just because we won't/can't/aren't-allowed-to support it. I'm curious to know what your thoughts are.