* You need to make sure you've firewalled (and/or on single-host configurations bound it exclusively to lo0) memcached so people can't talk to it from the Internet.
* If you survey the Internet, you'll find a lot of people who have not obeyed this rule.
* If you don't obey this rule attackers can get and possibly alter most of your data; an exposed memcached is probably game-over for your site.
The only things you should be able to talk to on anything in your data center are ports 443 and 80, plus 25 on your single mail relay if you have one, plus 22 (heavily filtered) on a single relay SSH server. If you can talk to more than that, you've probably done something very wrong.
Unfortunately it's often not good enough to point out open ports, and one needs to demonstrate exploitability. The main thrust of the talk was so say "if you come across memcacheds, don't skip them, there's coolness there". e.g. an open memcached used by Django directly equates to remote code exec due to Python's pickle.
You're spot on with the final point; firewall firewall firewall.
[fd: that's my name on the preso]
Bad gowalla, bitly, and PBS operations departments. Shame on you.
That alone allows you to avoid most attackers trying to guess valid server ips.
Now to put a honey pot on port 22.
I can't emphasize this one enough. Unless you need to login from a lot of different machines, there really isn't any excuse not to do this. It also has the bonus of making logins really easy since you don't have to type a password.
Also, yes, among with changing the port the only way that should be possible to get in is through 'keys.