Having a VNC server running on their PC is far more insecure than setting up remote access on the router since VNC gives direct access to the PC and there's been plenty of exploits in the past for that service.
Code:
2008-08-01 RealVNC Windows Client 4.1.2 Remote DOS Crash PoC
2007-06-28 AMX Corp. VNC ActiveX Control (AmxVnc.dll 1.0.13.0) BoF Exploit
2007-05-08 SmartCode VNC Manager 3.6 (scvncctrl.dll) Denial of Service Exploit
2007-02-02 Chicken of the VNC 2.0 (NULL-pointer) Remote Denial of Service Exploit
2006-05-17 RealVNC 4.1.0 - 4.1.1 (VNC Null Authentication) Vulnerability Scanners
2006-05-16 RealVNC 4.1.0 - 4.1.1 (VNC Null Authentication) Auth Bypass Patch/EXE
2006-05-15 RealVNC 4.1.0 - 4.1.1 (Null Authentication) Auth Bypass Exploit (meta)
2006-04-11 Ultr@VNC <= 1.0.1 client Log::ReallyPrint Buffer Overflow Exploit
2006-04-04 Ultr@VNC <= 1.0.1 client Log::ReallyPrint Buffer Overflow PoC
2006-04-04 Ultr@VNC <= 1.0.1 VNCLog::ReallyPrint Remote Buffer Overflow PoC
Unless she's annoyed some Russian hackers it's highly unlikely (tho' not impossible) that someone would bother to waste time trying to brute force the router password. There's much easier ways to exploit than that.