SSL VPN tunnels are a little more processor intensive than the traditional IPSEC tunnels
but in practice i've not noticed much difference from a user perspective apart from reduced 'my vpn isn't working' calls, you just need to be a bit more generous when speccing up the VPN server.

Opening RDP on a high port isn't a good idea, as you say all they need to do is run a portscan  (devil) and they've found it and your back to square one.

You might want to look at  using a 'portal' model where the user visits a SSL protected website  and then there's  a html5 or similar  'rdp session in a browser'
a couple of the products I've used are Sophos UTM (formerly astaro security gateway)and juniper netscreen SA series, 
the Sophos boxes are slightly cheaper than the SA but the SA is definitely better.

Or you could buy a server run up your favourite distro and fire up an openvpn server slightly more work but essentially free and secure (its openvpn inside the Sophos box anyway :-D ).

Sounds like you just need RDS Web Access etc, really.

Or you could look at our workspace product (shameless plug)

Pick up all all your hosted applications and host them on a webfront end securely.

That's what remote app does. I had it working at one point but was trying to make it only use a specific wan and broke it. I need to make time to look at it again.