I wouldn't say OpenSSH suffers from "regular" exploits (granted there was a spate of several back near the end of last year / beginning of this year). None the less, if you're running with priviledge separation enabled (which makes the network side handled by an unpriveledged user in a chroot'd jail; it's been in there since around version 3.4 I think) there's probably very little risk of them being able to compromise the box (not to say a DOS isn't possible). If you're really paranoid you'd probably be better served by filtering from whom you'll accept TCP traffic to port 22.