Main difference is that all of these websites are public behind one big proxy (ALB) and not public on their own.
The security concerns are centralised in one place, not 10.
That's not to say that the ALB can't have a bug or a misconfiguration that will render it wide open. But that's probably true for VPN as well.
And the point of this is that, while application security is still important, it at least makes all those vulnerabilities post-auth, which is a huge improvement.
The poor man's version of this is to put all your services behind an nginx reverse proxy with HTTP Basic auth (and TLS of course). For personal/small scale operations, this is a great way to almost completely eliminate your attack surface, if you have single-digit users and they can be trusted. Everyone running webapps personally should prefer this over, or in addition to, app-specific login systems.
That's not to say that the ALB can't have a bug or a misconfiguration that will render it wide open. But that's probably true for VPN as well.