Regs: the RDP protocol itself has not, to my knowledge, had any breaches that have enabled anyone to gain access without a valid username/password.
There are others, too.
Regs: You can use two-factor authentication with smartcard + username & password with RDP which is built in to windows. You also have the ability to install 3rd party two-factor auth products onto the 'server'(*) such as RSA SecureID, a USB Key solution, or an SMS-based one-time-code.
(*) some two-factor solutions also work on xp/vista/7 as well as on the win server platform.
Yes, you can do all of that. Or you can use a VPN which gives you all of that, mitigates from exploiting the RDP protocol itself (although the VPN is of course exploitable, but now you must exploit both the VPN and the RDP to compromise the system). And a VPN is more versatile over time than RDP.
Security is about layers...