We have been down the fibre path quite a ways now in NZ. Primarily in the business end. A point to note is our fibre providers are not necessarily the ISPs (there has been a push to seperate these two in NZ).
So far the implementation's are either route, VLAN, or MPLS based. In my experience so far this has led to many problems, an authentication based PPP solution would have negated these issues.
For example, on our fibre network for a long time you just plugged in with your IP and gateway and away you went. However all it took was some idiot to type his IP wrong and you'd get a conflict on the network and no idea why your connection was flakey. So then they introduced MAC address rules to tie you to IP, basically if you changed MAC addresses within a certain time period it'd lock you out. Problem for me is I often throw a new firewall on to play with. A few weeks back I was trying a Palo Alto box, took our Sonicwall off, PA in... (1 MAC change), PA didn't do something right, took it out put the Sonicwall back in (2 MAC changes and BLAM I was locked out).
What you really want is an Auth system that will backend into different Authorization servers, and nothing else does that as easily as PPPoE.
The alternative is the ISP is locked to the media and visa versa. This gives you no choice in selecting providers.
As for your security/vpn issues, tell me what vendors you deal with, because I'd say 9/10 times that's your problem. I'm cisco certified, done the cisco clone thing for a couple of years, then got out of that. Cisco are a jack of all trades, master of none. They are particularly inept at security and vpn devices. And if it's not cisco then it's a MS PPTP setup which is even worse
