One thing I'd like to mention is that I consider FTP useless for anything but anonymous access, for the same reason Telnet is - they're both unencrypted protocols.
There are also a handful of FTP daemons that have been written explicitly for anonymous access exclusively and will present very little if any vulnerability. (The one I'm thinking (but don't remember the name) of doesn't contain a single file write call in the entire source, runs chrooted and drops root priviledges as soon as it has a connection before it reads a single byte from the connection.)
Even so, making FTP work poses numerous problems to a firewall due to the way the protocol is set up, with the separation between data and control connections. It really is time to let this dinosaur die.
Makeshifts last the longest.