The main issue is that your key presses will be travelling across an untrusted network un-encrypted. So if you have to provide further login credentials post logging into VNC then those credentials could be compromised.
"I am setting up their on site firewall to use static real IP addresses from the ISP"
Do you mean you are going to set their firewall to only accept a VNC connection from your address ? That's about the only way I'd even start to feel safe running VNC in the wild.
Why are you not using XP's built in RDP server ? There are some perfectly good RDP clients for Linux and in my experience it is better over limited bandwidth than VNC.
But personally I would consider setting up a VPN, that's how I support most of my clients...also if there is more than one machine to support at each site then opening separate ports on the gateway for each machine becomes a bit of an admin nightmare.