If you're sure that disabling Telnet is not going to give you an operational challenge, it's definately a good idea to disable it globally and always use SSHv2 instead.
Regarding the ACLs, I tend not to worry about those from interfaces facing interior networks (so as to allow for management flexibility) unless a customer has a strict industry compliance conformity to adhere to. For interfaces facing public networks, I tend to apply a very strict ACL.
Furthermore, I tend to actually have that public ACL redirect incoming SSHv2 sessions from a non-well-known port. For example, I set my SSHv2 client with a destination port of 650 on the controller IP, and then set a redirect rule in the controller ACL, redirecting port 650 traffic to 22. Before that rule, I deny port 22. The result is that you're less prone to some brute SSH and scripted attacks. Less alerts on your monitoring platforms too!