OK, if an attacker compromises the system using buffer overrun for example then she will get a highest privilage of access and delete all the stored procedures or any blockers enforced by any policy as they directly own the DBMS now - so creating stored procedures in the SQL machine itself won't help a lot.

As for double firewall, if the packet is designated for sql server and it looks like every other packet (ie totaly legal) the firewall will let it thru - even if there is more then 2 firewalls. As nobody suspected this packed to crash the buffer - it will flow without any warning.

As to the reality of the attack . I wish everyhting was so unreal as it seems like. Code Red virus is my favorite example. Looking at the design of this virus - you might think that virus writer had an access to sql server code. There is so many similar attacks that penetrate even encrypted or SSL communication - that leads me to believe that we are not that secure anymore