Like what? If we're running an remotely accessible service on a VM, its because something remote needs to access it. Remote as in "another device on this network", not as in "any internet accessible device".
Eg, on our web worker VMs there is just one remotely accessible service, sshd. On our DB servers, sshd and mysqld/postgres. Externally, the only ways to interact with our web cluster is via HTTP, first via Akamai and ELB, then to a trivial interface server, which turns requests in to messages that are then received by the web workers, processed in to responses and returned to the interface server, which returns them to the web client.
A malicious user could (theoretically) attack ELB or our interface server, but if they can cause a programming error in *our* code, it is extremely difficult to turn that in to an exploitable error, as there is no return channel connected to the malicious user.