unless his computer is on a separate network, that actually isn't even remotely true
see, forwarding a port in and of itself is totally harmless - you're just directing traffic
however, if there's a vulnerability on the server software that you're running, then you're vulnerable - if you hadn't forwarded the port, no one could exploit that bug
if you were to download a malicious mod for minecraft, it could compromise your server or give an attacker a remote shell or whatever the forget
if you use a stuffty password for ssh, an attacker will get remote shell on your actual server
with either of these vulnerabilities, they could pentest the entire rest of your network, or even simply start a network sniffer, or even use ARP poisoning to redirect DNS requests for your father's chosen bank to their own phishing webpage
yeah, it ain't secure at all, and yes, an attacker could ultimately attack your father through your server.
now, if you disable password logins and force key-based authentication on the ssh server, never download a minecraft mod (and watch for if someone spots a vulnerability in the game), and watch for security vulnerabilities in the ssh server, then you're perfectly fine
also vps's have automated billing
EDIT: you probably won't tell him all that, and i can't urge you too or anything - but be sure that you understand the risks.
Poll