Well, you're reducing the exposed services from two (mysql + ssh), to one (ssh). Which is always a good idea.

Also agreed. I'd trust OpenSSH to do security better than MySQL.

Having OpenSSH running is pretty much essential for any machines you remote administer. Some things you can do: disable password auth, use public keys. Disallow root logins. Listen on a non-standard port. Configure a hardened "jumphost" as your interface between your machines and the outside world.

Only if you make the assumption that SSH is already exposed. Which most of the time, it doesn't need to be.

Also: SSH is considerably more battle-tested in this configuration. There's a lot to be said for being aligned with how the developers imagine a program is used