A fully-patched NTP server should be fine. A lot of tier-2 ISPs were treating their NTP servers as abandonware that never got updates, so they ended up being ripe for UDP amplification attacks, but that was a vulnerability in ancient software, not the protocol.