If he advised you to use Sftp instead of "plain" ftp, does he has a solution to jail down the logged in users? As Sftp is a sub protocol of ssh...
More than that I'd suggest the use of ftpS (ftp over SSL/TLS), so the only thing you need to do is to configure your ftp daemon for the use of ftps and if possible to force ssl / tls only.
Generally he is right, to enforce encryption anywhere where possible and disable the access to any service (or the service itself, depends on your business needs) that is not needed to be accessed from outside (or to restrict the access from only specific locations, if you are able to define these)...
But this is only the security on the network layer. For a complete overview, you should also consider taking a look, at the configuration of the used (web)apps, their soruce code (if possible) etc.
A tool which may also help you "hardening" your server is lynis (
http://rootkit.nl).