I was taking this more from the perspective that the company doesn't seem to either have a structured IT department or security policy in place (this is only an assumption from the posts).
They hired an inexperienced person (again nothing wrong with that) to conduct a pentest on their company. The OP mentioned that they used to consult outside for services. To me, this seems like a small company that probably doesn't need much in IT "upkeep" or complex maintenance on a regular basis since they turned the OP for help. That being said, the easiest and best thing to do would be lock this stuff down if there isn't a real need for remote management over the internet. Again, I am just basing this off what I read, I could be completely wrong.
To OP, I guess the question is what role do you have at the company? Can you address these issues? Was this just a risk assessment, or are you going to make changes to the network?