A VPN is technically unnecessary unless you just want it for security reasons. Although a VPN tunnel would make the SIP/STUN/Nat Traversal issue disappear tho. You will need to see what kind of average latency you get through the nat with VPN. I always like to keep it under 250ms if at all possible but I have seen it "work" with up to 500ms pings. Starts to sound like an overseas call tho.
Plan B is setting up a STUN server on a machine with a public IP or trying to use some of the public-use STUN servers. Everyone has mixed results with this so your mileage may vary. Also going to depend on what kind of SIP support your BCM50 Gateways have. Ahhh the joys of VoIP
It would be nice if they would at least get static IP's. Otherwise they WILL experience outages whenever the IP changes. Services like Verizon FiOS (from what I hear) change IP's every 3-5 hours whether you like it or not. My road-runner (brighthouse) IP has stayed that same for about 3-months now. Regardless, they all eventually change.
NetGear's ProSafe routers have built-in support for various dynamic DNS services like DynDNS.org. This will automatically update a dns record like siteA.bcm50company.com to whatever their current WAN IP is, letting you use a DNS name instead of IP in the gateway config.