Open
WiFi is no more open than plugging into a random cat5 port in a
hotel or an
airport lounge. Conversely, a 'secure'
WiFi or wired connection is only secure in its very first hop - between the endpoint and the first switch/router.
Beyond that all bets are off, and it should always be assumed that traffic can be intercepted and inspected en
route. A VPN helps to secure a few more hops, but unless it is a company VPN which is terminated on a secure internal
network segment, there is again a chance that interception is feasible.
By simply ensuring all important transactions are conducted over a secure protocol such as HTTPS instead of clear text like HTTP, most of the problem of open connections is mitigated. The baddies may be able to tell that you are interacting with your
Internet banking provider, but the content of that interaction should remain inscrutable.
Too much focus on "is my WiFi access point secure" can lead to the erroneous belief that everything is private if the WiFi segment has that little padlock on the systray icon. It is only one link in a long chain.