First, a VPN would best be used as an additional layer of security for the whole network, not as a shell for one particular box. Second, a group very publically announced, by hacking imageshack, that they were going after full-disclosure security blogs. A little later, they warned that they had an ssh 0-day. The prudent thing for a full-disclosure security blog to do would be to put some additional security around their internet-facing ssh.

It depends. If it's the same box and you can get root from exploiting OpenVPN than nothing. But if you are doing this correct - running OpenVPN on non-critical server that serves as entry point for the rest of the network than you just got yourself extra layer of security. It's like probability that there are two bombs on the plane.

Well, my point is, why anyone would leave SSH open like that on critical server. Don't want to set up whole VPN or using things like port-knocking? Just configure your damn firewall to accept only connections from your IP. Wow, I mean, there's million things I can think of to minimize your risk from single ssh 0-day exploit and I'm not even sys admin.