Hi, can I run RouterOS as an exposed host? If I configure the firewall properly, what are the chances someone can hack it?
I have a cable modem that has wan, but I was wondering if I can block everything except the mikrotik IP, and leave it on DMZ?
Also, this way I can vpn to it, as it does not work through cable modem with NAT.
thanks.

If you only forward port needed for VPN then it's quite secure. No known VPN vulnerabilities of ROS are currently known. To make RB even safer you could deploy some more advanced techniques, such as port knocking.

so on this machine I am planning to run plex server, torrent, bitcoin node, and lightning wallet, that is about 5-6 more ports open towards the internet. would that compromise the router?

No, problem is when you open management ports for the router to the internet. Like Winbox/SSH/Telnet/web to Router itself.
Open port trough the Router should be no problem.
But you need to make sure that the service you open are secure. Like using good password, follow best practice etc.

Now I'm confused about your network topology. I'll assume this one:
.
There are two things:

• device as VPN end point (mikrotik), you need to NAT one (or more in case of port knocking) port from cable modem to mikrotik
• host for other things, which might need NATed ports or not, depending on intended availability from the internet. E.g. bitcoin miner probably doesn't need port forwarded as NAT does it dynamically for LAN clients connecting WAN servers.

.
You might actually want to reconfigure cable modem into bridge mode and use mikrotik as router, firewall, ...
.
In this case, you'd configure all NAT and port forwarding on mikrotik. Using fine firewall rules (default is fine, you need to add only a few rules to allow certain connections otherwise forbidden) the whole setup can still be secure enough.

In both cases you can decide whether the "host for other things" is actually part of your LAN or separate (kind of DMZ) ... in first scenario you can put LAN either behind mikrotik or parallel to it (but it's highly probable that cable modem lacks lots of routing/firewall capability present in ROS), in second scenario you can decide to have two LAN segments, one for DMZ and one for the rest of LAN (it is just a matter of proper configuration).

it is cable modem on 0.1 lan and it gives mikrotik 0.2 address, then mikrotik has its own 88.1-100 ip range. i will not connect anything to the technicolor cable modem except mikrotik, and everything on the network will be in 88.1 lan
technicolor modem does not have bridge mode i think...

No, problem is when you open management ports for the router to the internet. Like Winbox/SSH/Telnet/web to Router itself.
Open port trough the Router should be no problem.
But you need to make sure that the service you open are secure. Like using good password, follow best practice etc.

ok, thank you