The author goes into this in the beginning by stating that the admin can have "PasswordAuthentication no" in sshd_config and users with keys can still have weakly protected (or unprotected!) keys.
In other words, you can lead a correct horse battery staple to water, but you can't make it protect its key pair with a strong password.
That's a separate issue though. You can have weak/unprotected VPN keys as well.
I think the author's argument about using VPNs is more a "right tool for the job" thing. SSH is fine for remote shell, but then you start to need other network service access. You can use SSH tunneling, yes, but a VPN is better suited.
So, in a nutshell, the point is "only expose a single service." And since a VPN is more flexible than SSH, might as well go with that if you have the choice. You can of course make counter arguments along the lines of "expose only the minimal amount of functionality" or whether you think a VPN or SSH is more secure.
In other words, you can lead a correct horse battery staple to water, but you can't make it protect its key pair with a strong password.