Putting support functionality on the VPN means folks from outside the organization can't get to it without VPN access. It also means that you must give more people within your organization access to your VPN which raises the chances of having a compromised account be able to access other valuable assets on the VPN such as your production hardware. How do you make a trade-off between these?
VPN access doesn't have to be all-or-nothing. They could (and should) lock each employees VPN access down as much as possible, i.e. support personnel has access to their support tool and nothing else, etc.
Production hardware should be on a separate network/VLAN/whatever anyway.
