It's perfectly true in principle that username's aren't a secret, but in practice the attacks I usually see are dumb dictionary attacks, not targetted thoughtful ones; if you've got systems that need to allow password auth then limiting the available usernames does reduce the chance of one of them getting a lucky hit. If you're keys only then it doesn't make much difference, but then I've had a machine that I thought was set to keys only get compromised because it turned out not to be, and a dictionary attack did get lucky.

As a rule I like a security setup that can take the occasional balls-up without falling to pieces.

Not as well though. Your phone's likely to be hopping from network to network as you move around and that will break open tcp connections. With irssi running in screen on a machine with a stable connection your IRC session keeps running - you need to reconnect to it, but it doesn't keep popping on and off IRC. Aside from being generally more friendly that means that it captures conversation that takes place while you're disconnected, so you can catch up when you're back online.

Seriously - one in fifty what? SSH in general and OpenSSH in particular is open to the internet on an enormous number of machines and has been for a long time. It's a hugely high profile target, and has an excellent track record of security.