Of course there is risk in exposing a service to the internet; a service open to the internet has a far greater potential attack surface, so there is a greater chance that an existing vulnerability in the exposed service gets exploited. But that is not an argument against the practice of port forwarding -- you just need to make sure that you take adequate precautions to mitigate risk. You do realize that, to be able to access a service from the internet, you need to expose it to the internet, right?