You're right, but only if you are an experienced IT guy in enteprise environnement. Most users (myself included) on Lemmy do not have the necessary skills/hardware to properly configure and protect their networking system, thats way I consider something like wireguard way more secure than opening an SSH port.
Sure SSH key based configuration is also doing a great job but there is way more error prone configuration with an SSH connection than a wireguard tunnel.