I'm not convinced.
RDP = "look at this picture of secured and configured internal system that is compliant to all our policies" and if you disable file sharing "no, you can't just suck the network data out of the connection".
VPN = "send whatever traffic you like down our wires from whatever machine you might want to, which might have anything on it and might pull any traffic or data is sees".
RDP can also be secured against non-protocol problems (e.g. brute-force password attacks, etc.) using 2FA, and "protocol" vulnerabilities are rare and patched against.
I still think the attack surface of RDP is not only much lower, but much easier to secure, much less damaging and keeps everything internal - your data is less likely to wander off without a trace. Imagine: A rogue program on someone's machine gets access to their remote access method. There's credit-card info of a million customers there. You discover that. Now you need to make a disclosure.
With RDP - it's whatever that session accessed, as that user, over whatever programs are available, on what could be a freshly-imaged VM (basic terminal server functionality in Server editions allow you to wipe a bunch of VM back to image and use a new one for each connection that comes in) inside a session, and then - whatever method it used to extract and distribute that data using whatever programs are available on that VM only.
With VPN - that's a complete traffic trace (if you could even store that amount of data) and a huge amount of potential access to internal systems.
And both have flaws, need patches and can be badly configured.
"Show me a picture of a machine like one I use in work" will always seem less damaging than "join me to your entire network" (even if you put in firewall controls, etc., if they are to access a shared drive, you're allowing the CIFS ports and traffic, and bang you've opened up whole new classes of vulnerabilities). If you're using RDP, you need to hope that the remote machine is even *capable* of executing the program you want to use to steal information, and that they haven't whitelisted the software on those machines such that you can't even try to plant a virus or email yourself an executable, etc.
Biting the hand that feeds IT
