Correct me if I am wrong, but you didn't need a VPN before to access RDP securely, it was just considered safer, as you had another barrier that you would have to access to get through in order to connect to the remote machine.
That in itself doesn't speak to the security of Windows / RDP, which has RSA RC4 encryption for the RDP connection.
Those settings are all available from (Windows 2003/2008 Server):
Programs > Administrative Tools > Terminal Services Configuration
And from there you could set 3 different types of encryption, high / med / low, there are details on that here: http://www.windowsecurity.com/articles/Windows_Terminal_Services.html
There are many other sources that speak on its security.
Now is it insecure? Could be, it is vulnerable to the same attacks that any Windows server suffers from. Depends on how the server itself is setup.