Just good practise - for the one time you do accidentally expose it or some kind of attacker makes it on the trusted side of the network.
More like security through obscurity. But I can't deny that to some extent it works.
As long is you use a complex/secure username/password, opening winbox port isn't as problematic as used to be. They use AES128-CBC-SHA encryption, ...
If I remember correctly, they even added some MITM-resistant authentication protocol. So in theory, it should be perfectly safe, as long as they didn't make any mistake that would turn into security hole. Problem is, you never know if that may be the case.
Of course if you don't expose it at all, it's the safest way. But it's not fair to say that everything else is completely wrong. It's like saying that someone deserved to have their house burgled, because it had doors and windows, with big locks and everything, but with no doors or windows at all it wouldn't happen. Probably true, but...
If you use v7 and have an ARM CPU, ZeroTier is just wonderful for remote management – no open ports required as would be the case with any other VPN choice here.
Only you either have to rely on some external service (which I'm not a big fan of, if I don't have to) or you have to host the server yourself, which needs to be accessible, and in this case you may as well use any other VPN.