In MySQL you have to change the bind-address but also allow the user to access from any IP (%) in order to access from any IP. Opening the service to the whole web is not enough
True, and hopefully if/when people do that they're not GRANT to '%'@'%' or whatever, but I figure if you're not going to bother to tunnel who knows what other silly things you might do.
And this is case in point.