I agree that disabling password auth--or even just using something like fail2ban to blacklist attackers--is just as effective (and significantly easier) than setting up port knocking.

The substantive difference, though, is that port knocking can be used to hide the service entirely, rendering you safe (mostly) from 0day attacks, DoS against a specific service, etc. It can also be use to make things that shouldn't be on the Internet (say, an RDP route to the CEO's computer) a little safer. Still, though, it's not like VPNs are very difficult to use...

But if you are using SSH for administrative purposes on anything important that you might be reomte from in a time of crisis you don't want to layer something else on top of SSH that might fail and not let you in, or even if the port-knocking arrnagement is OK you might not be able to access it from where you are (perhaps on a mobile/wireless network that is blocking all but the most common standard ports in an illconeived effort to block P2P traffic, which would affect people who put SSH on a non-standard port as well). OK so if it is that bad maybe everything is down/inaccessible (SSH and all), and anything that important has local hands-on support available, but it still strikes me as a bad idea to potentially lock yourself out.

The worrying thing in this report though is how many hosts seems to be running ancient (now unsupported) versions such as the stock variant from Debian 4. I bet most of those hosts have no key-based auth and easily guessed passwords too...