The service itself is insecure. You need to hide it behind a more secure setup if you want to expose it to the internet. It's been a long while since I tried, but I have some foggy memories of an RDP Server that would encapsulate the connection in an SSL tunnel and forward the connection to the remote machine rather than exposing the RDP client itself to the internet.
Definitely do your research on how to do it securely before you just set it up and open it to the wild.
Oh sure, VPN is definitely the preferred way if you already have the infrastructure in place. My experience with the front-end RDP server was years ago as the sysadmin for a company. My experience is likely very out of date, and was very corporate-focused, rather than for an enthusiast.
Nowadays I try not to touch Windows, and haven't used RDP in years.