SSL VPN tunnels are a little more processor intensive than the traditional IPSEC tunnels
but in practice i've not noticed much difference from a user perspective apart from reduced 'my vpn isn't working' calls, you just need to be a bit more generous when speccing up the VPN server.
Opening RDP on a high port isn't a good idea, as you say all they need to do is run a portscan (devil) and they've found it and your back to square one.
You might want to look at using a 'portal' model where the user visits a SSL protected website and then there's a html5 or similar 'rdp session in a browser'
a couple of the products I've used are Sophos UTM (formerly astaro security gateway)and juniper netscreen SA series,
the Sophos boxes are slightly cheaper than the SA but the SA is definitely better.
Or you could buy a server run up your favourite distro and fire up an openvpn server slightly more work but essentially free and secure (its openvpn inside the Sophos box anyway :-D ).
That's what remote app does. I had it working at one point but was trying to make it only use a specific wan and broke it. I need to make time to look at it again.