If you're a Carrier network or large Enterprise, you have two options- Juniper or Cisco. Nobody else makes hardware that even comes close when you're talking routing and switching.
Cisco has the market in the enterprise, but the service provider space is a bit more competitive, simply because service providers generally don't like to single source major components to their core business. Many are now looking into white box configurations with SDN.
There's no good reason you should even have the device's management interface directly exposed to the public internet.
Many times the management interface of a routing device are not used in leu of a management IP address on a software loopback interface. This is so the device is reachable in the event of a link failure, because the management address is associated with an interface (software) that will never be withdrawn from the routing table. All the management IP needs to be reachable is at least one functioning routed interface.
If you want to be able to remotely manage your equipment, you setup a VPN
I'm not sure I would trust an SSL, or better yet a TLS encrypted tunnel over an SSH connection. The OpenBSD guys tend to be pretty paranoid about security; the OpenSSL community doesn't have the same reputation. Ultimately it comes down to the implementation that is more trusted; for example, I would trust an an OpenBSD based OpenSSH server over a Cisco device for receiving SSH connections directly from the internet.
which will then give access to your internal, privately addressed (i.e. not publicly routable) management network, and access the equipment from the inside
I don't think of private addressing as a strong security measure. Having adequate access controls at administrative boundaries would be more effective and less complex. It's been repeated many times on this forum and others, NAT is not a security feature.
You should ***NEVER*** be able to directly open a connection, either via SSH or any other method, from the 'wild' internet... it's just flat out stupid even if there are no flaws in your equipment.
Multiple layers of security are definitely helpful. It diminishes the effectiveness if the same credentials are used to secure each layer.