Honestly shared hosting is the devil that keeps FTP going. Even using one of the more "secure" versions of FTP such as vsftpd still leaves boxes at a higher risk of having unauthorized access gained. While using sftp does add another layer of "protection" it is an unneeded overhead on a server. You should just be using SSH if you are going to use sftp. If you host does not provide an sftp variant a simple wireshark capture and I have your creds in plain text. Take a look at year by year stats on compromises and even with running sftp there a tons of exploits released and compromises from using ftp.
To me FTP is just no more than a lazy answer to what something else already does, and does it more "securely". While it is OKish in my opinion to use, if it is badly configured and or not at the least using sftp you're asking to get pwned. It is technology that was in a sense made to solve the issues of shared hosting where thousands of people need to login to the same box and upload content. With the expectation that 99.9% of these users are not that technically competent and need a simple interface to interact. CLI scares the vast majority of people for some reason. There are programs like PAC Manager that gives you a GUI type SSH experience, while you still interact with the boxes through CLI it makes a singular tool to access every server you have. Like for me it is a life saver as I have to maintain a list of over 800 servers for clients, business and personal use.
Badly written firewall rules or the lack there of applies to any server of any OS regardless if FTP is running or not. I can't tell you how many times I get a call to come tune up or fix up something and I checkout firewall rules and I find ones that basically NULL out other rules in the list, or re open ports they are trying to close, things like that. As I have said numerous times there is a difference, a drastic one at that, between your low end hosting - Shared, VPS, Dedicated vs high end fully managed hosting. Especially if you need something relating to Compliance needs. Also the definition of dedicated in hosting is used VERY loosely and to almost every hosting company it has a slightly different meaning.
There is lots more to say, but this taking the topic way off track here at this point. But to summarize my personal opinion is ftp of any sort is not needed and adds a greater security risk to your box and or network.
Back to our originally asked question