It's a good and valid question. Simply, it's about limiting the attack vectors. The more services you expose directly to the Internet, the greater the possibility that one of those services can be exploited. This isn't specifically about LMCE, but a general security practice. One or two doors are easier to secure than ten or twenty doors.
IT security is like layers on an onion; you have to keep peeling them away to get to the centre. You want to make it hard enough that 'they' move on to easier pickings.
Your LMCE login page doesn't currently track login attempts, and I'm willing to bet most people won't be looking through their Apache access logs to see if someone is running a dictionary attack. There are other web-based products like MythWeb and MediaTomb; how about them?
SSH is even riskier, especially if your password isn't strong or you're not using two-factor authentication (username, password, and a pre-shared key, token, or certificates). That's the first attack vector most will try; I regularly see port-scans against border devices, which are going after the SSH port (among others).
Yes, there are ways to secure all those services and make them more resistant to attacks, but that does require advanced IT knowledge. LMCE's about making media and home automation "easier". While most that are perusing these forums are more technically inclined, LMCE's target audience is those less technically inclined, who wouldn't be able to implement those safeguards. Hence, the VPN makes it easier and safer.
In the case of Orbitors, I'm not sure if the traffic is SSL/TLS encrypted. So, if you were to expose those ports over the Internet, and were sending your alarm system PIN code * in the clear *, someone on the same network segment (like in the case of cable modems) could sniff that traffic, figure out what it meant, and then use a replay attack to disarm your system. Using the VPN means all that traffic is encrypted in the VPN tunnel, between your core and the end-device (the phone running QOrbiter).
Hope that explains things! IT security is a complex issue, so I tried to keep it simple...