I'm thinking about configuring a VM in the cloud as a "JUMP" box for winbox / ssh to customer mikrotiks. Set an obscure admin password and then a secondary login as worst case.
Looking into GenieACS now as well...
Both are very reasonable ideas, you can VPN to your cloud VM and then connect via winbox from that IP. You can use GenieACS to push config changes to a device even if you can't log into it, for instance, adding entries to an address list to allow you to gain access is fairly easy.
Those security precautions are not only what I would take with MikroTik but with any router. Even specialized firewalls like Fortigate and Check Point - it's a very bad idea to open those admin ports. If you have those admin ports open, you are putting your trust in two things: 1) that nobody has already compromised the device and has a way of monitoring your activity to see what your current username/password is, and 2) that the vendor has made absolutely no mistakes in coding where there is no possibility for a buffer overflow attack
Even if you are sure of #1, you can't be sure of #2, even with the most trusted vendors. Everybody makes mistakes, and it pays to be a bit paranoid when it comes to security.