[throw0101a]

RSA 3072 has the 'comparable' security of AES 128:

* https://www.keylength.com/en/4/

Going to 4096 doesn't get you much given you have weaker links in the security chain. The next step up would be AES 192 and RSA 7680, and then AES 256 with RSA 15360.

[nullc]

You'd have an argument if you were just talking about the DH key used for PFS, but the ID key is a long term secret, so breaking it has a radically payoff surface.

Even when AES and ECC have similar security they have different behavior in terms of multi-target attacks and the curve for success probability vs computation invested are quite different.

You're also not limited to use AES 128 with ssh, ChaCha20-Poly1305 is a nice choice.