i'm not even saying "ugh security is hard" i'm saying the attack surface for ssh has been understood for Quite Awhile and we should have decent defaults to make it SAFE to use. Which means:
1. Deny root login
2. Deny password authentication
3. Require public-key authentication
4. Close off any deprecated key exchange methods
5. Auto-ban brute force attempts
That's like. A minimum best effort. Really.