It also prevents the whole world for scanning your outdated public interfaces. Before they can do that, they need to bypass VPN.

If there are tens of different services, is it more likely that one of them has vulnerablity than both VPN and service has? And vulnerability in VPN alone does not matter if your internal network is build like it is facing public world. You might be able to patch it before vulnerability in other services is found.