You could try putting your origin IP behind CloudFlare Spectrum (think: CloudFlare but for Minecraft* instead of websites), then your only other worry is ensuring you don't run malicious plugins or mods.
*Or any non-HTTP service, actually
As long as you only port forward 25565 (and any related ports as required), you should be fine. Security-wise, most routers default to moreorless block all incoming traffic unless it's as a response to something that came through your network (for example, you visiting a website; the website needs to send the data you asked somewhere, right?).
Take this analogy: If you don't tell people your address, how are they supposed to visit you?
The same principal exists in networking...
And if you don't want people to visit you... Why are you even inviting people to begin with? (Replace people with other people's computers)
Furthermore, Minecraft zero-days are unaffected by whether your source IP is revealed or not. If the machine is compromised, the intruder need only run a netscan (what is my ip lookup) and address is compromised.
Basically: make sure your Minecraft software is up to date and has security patches. Networking isn't an issue, unless you have other things exposed unnecessarily. Hole exists in software; not routing, which is already as secure as you can get (without blocking everything).
Alternatively, play only LAN (aka. all the players physically showing up at your physical house) or don't use your home network to host a server to be accessed from the internet and just rent a server off a host. They handle everything for you, including security.