@stefano 🤦♂️
Seems like you are dealing with a certified box checker GRC (governance, risk, & compliance) wonk, who typically have little hands on experience.
Now, they are not wrong that OpenSSH should be updated, but you have at least one compensating control that it is supposed to only be accessible via VPN. The rub is what & when it is not behind the VPN - and you never say never.
I've ran into more situations that I care to remember that some rogue engineer opened up the ACLs to allow worldwide access to the endpoint "just for testing" over a long holiday weekend - and watch the attacks start quickly after. 🤦♂️😞