Remote desktop is not secure

I had a consultant give me the fire drill about how our network is at risk
because we have 2 people connecting via remote desktop to 1 server. These
are set in GP to enforce high encryption level. My understanding is this
is secure- and according to the technet article I read- even login
credentials are encrypted.
Is this correct? Is the contractor just trying to scare us to have hime
setup a vpn for $$$.
Looking for comments