It is all a decision based on risk where risk = likelihood * impact. Only an individual can determine their tolerance for risk.
For many, the risk of having one or two ports open to the Internet is worth the benefit of not being required to use a cloud service like my.openhab or go through the pain of setting up an OpenVPN server.
For others the risk is way beyond anything they are willing to take on.
Providing a middle ground with something like fail2ban is be a nice middle step step for those who are unwilling to rely solely on openHAB’s built in security but unwilling or unable to set up their own OpenVPN instance and I applaud the addition of this approach to the tool box.