RDP is encrypted and can go all the way to FIPS encryption and have certificates to verify the server identity (to eliminate/reduce Man in the middle attacks). Is it 100% safe? No, as everything else.
It all gets down to how sensitive information on your network may be, how paranoid with security your company is and so on.
Plus keep in mind with 2008 TS you can use TS Gateway and have RDP over HTTPS. It also offers more granularity on what is enabled/disabled if coming through the gateway. In this case for sure a VPN is not required at all.
Cláudio Rodrigues
Citrix CTP