It's hard for them to get responses, though, and I doubt what he's concerned about is DoS on his VNC server, but someone being able to gain access to his VNC server. Of course, you're the security professional, not me.

That said, there are (I believe) several versions of VNC with adequate encryption and authorization schemes built in. UltraVNC comes to mind, since that's the one I tend to use, but I believe others have similar features.