If they're following industry standard practice (I'm hoping you mean "key-based auth only") then there is absolutely zero reason to move the port, other than to avoid filling up your logs, and two IPTables rules take care of that anyway.
This is what's known as 'putting all your eggs in one basket'. Relying on a strong auth mechanism is extremely sensible but only relying on that isn't. Exploits are found even in the oldest and best reviewed code. Nothing is 100% safe. If an exploit is discovered in the auth mechanism you're relying on then the obscurity of having SSH on a different port, with a mechanism to block port scanning, could at least buy you enough time to delay an attacker long enough for you to shut down auth until there's a fix. Considering the cost of switching port is so low it seems foolhardy not to.
This is what's known as 'putting all your eggs in one basket'. Relying on a strong auth mechanism is extremely sensible but only relying on that isn't. Exploits are found even in the oldest and best reviewed code. Nothing is 100% safe. If an exploit is discovered in the auth mechanism you're relying on then the obscurity of having SSH on a different port, with a mechanism to block port scanning, could at least buy you enough time to delay an attacker long enough for you to shut down auth until there's a fix. Considering the cost of switching port is so low it seems foolhardy not to.