What do you disagree with?

> Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface.

That's true. A VPN service replaces the ISP as the Internet gateway with the VPN's systems. By adding a component, you increase the attack surface.

> Many free and commercial VPN providers have questionable security and privacy policies.

Certainly true.

> if your organization requires a VPN client to access its data, that is a different use case.

Also true: That's not a VPN service; you are (probably) connecting to your organization's systems.

There may be better VPN services - Mullvad has a good reputation around here - but we really don't know. Successful VPN services would be a magnet for state-level and other attackers, which is what the document may be concerned with.