I have a long history of having my family use Linux. I'm a Debian guy myself, so I've always either used Ubuntu or basic Debian. I run dwm on any machines that I put X on (very few, honestly).
I started my Dad on Ubuntu around 2008, and he hasn't used anything else since. Shortly thereafter my Mom, then my Sisters. Most recently my Step-mom, and Grandparents have gone to Ubuntu.
When I got some castoff laptops from work, I turned them into Sugar notebooks for my kids, and once that became too limiting for them I helped them install mainline Debian. Some of them run Gnome and my oldest runs fvwm.
My wife still runs Windows because of inertia, more than anything TBH.
In my experience, I've only had 1 peripheral that someone has bought that was totally unusable due to drivers (scanner), and the only programs my relatives have asked for that weren't available were my kids wanting to play Roblox, which I didn't want them playing anyways. Thanks to Minetest and buying most Humble Indie bundles I actually have a pretty good library of Linux games for them to play, so there hasn't been much bellyaching from them. Well, that and the Windows gaming/home theatre PC.
I've gone to a 2 strikes and you're out policy on Windows installs. If I have to re-install it for you more than one, and you're either getting Linux or finding someone else to fix your computer. My Grandparents got caught on this policy, but my stepmom actually asked for "That system that Dad has that doesn't get viruses". Happy ever since.
Most people that aren't highly technical tend be served by Firefox/Thunderbird/LibreOffice for 99.99% of their needs. It's mostly Facebook these days TBH.
It makes support dead simple. no-ip.com and SSH let me fix almost anything remotely, and no one has every gotten pwned that I know of.
Other people have answered the port question, but I'll try to go at a slightly lower level. Each open port will have a program running on the host that has opened a listening socket on that port. Netstat can help you find out what is listening, and on what interface/port. As a rule, only root can open ports under 1024, and any well written server will drop all non-required privs. You can check with the ps command. This is somewhat enforced on some OSs, eg OpenBSD with pledge.
From a security standpoint you should verify that you know and understand every server listening on a socket, which interfaces they are bound to (netstat asterisk means all interfaces), and whether they are exposed to the internet via direct interface/proxy/port forward/etc.
One trick to secure services that need remote access: if the service is only for technical users, you can give them each an account with no interactive shell, and then they can ssh port-forward to the port they want to access. Eg. you can make 3389 (RDP) only listen on the local LAN or the loopback device, ssh to your router with port forwarding local port 3399 (or whatever), to remote IP:3389 and point your local rdp client to localhost:3399. Great for ad-hoc limited VPN type connections. That way you only have to be aware of SSH remote holes, and not the more-likely RDP server.
Hopefully if any of this is incorrect, someone will correct me
