Standard FTP uses an insecure port 21, SFTP uses a secure port 22, and port 990 is used for TLS/SSL implicit encryption.
Ports on a server are neither secure or insecure. They are simply where a daemon listens for connections. Yes, SFTP and Secure FTP offer more security especially when you are connected through public or shared Internet access but that does not mean that the FTP protocol is insecure. Using an up to date ftp client in the secure environment such as your home or a business is perfectly safe. Perhaps an example of an insecure protocol would help. Telnet is considered insecure and should never be active on a device connected to the Internet. The code of the daemon is compromised and can be attacked in such a way that the attacker can gain access without a username and password. Thus only SSH or SSH2 should be running on a server to allow shell access. Now you might ask why not patch the telnet daemon. Good question, SSH has been around for almost as long as telnet and its login process is hardened against attacks already. So it is easy to just turn off telnet.
Many people believe that FTP protocol is insecure because browser makers removed the ftp functionality from their browsers. But that just isn't based on fact. Perhaps a bit of history would help. When Tim Berners-Lee first proposed the concept of the World Wide Web (WWW), he had a specific use for it. He thought that it could be used by researchers all over the world to share their ideas. Using his browser, they could upload a plain text document to a shared space on a server connected to the Internet. Others could view the document remotely and even download a copy for off line study. The uploading and downloading was done with the ftp functionality he built into his browser. Sounds like Google Docs, doesn't it? Now like all good ideas, it grew and expanded at an amazing rate. HTML was invented to markup the plain text documents and the HTTP protocol was created to have a web daemon fetch the documents from any server in the world acting as a web server. Very quickly the simple ftp functionality was no longer needed but makers of browsers just left it in just in case.
In the early grey page days of the Internet, you could connect to a ftp server and see a file listing and download a file by clicking on it, all from within your browser. But uploading from the browser was more difficult than Berners-Lee had imagined. The admins of web servers were not too hot on letting strangers without accounts upload files to their servers. You had to have a user account and a password and your files were stored in your user directory. Files in your user directory were owned by your username and your account had very restricted permissions on the server. So everyone used a dedicated ftp client to upload files to their user directory instead of a browser. You could even upload a malicious script to your user directory and execute it but since it was owned by your username, it couldn't effect anything that wasn't in your user directory.
Here is where it gets fun. Someone discovers that using the long forgotten ftp functionality, you could by typing in a long URL using the ftp protocol in your browser, get the web daemon to execute your malicious script. Oops, that is a big problem. The web daemon has full rights to all the user directories on the server. Your script can hop from one user directory to another doing whatever it wants. Defacing web pages was a popular choice.
Most experienced admins had already closed this security hole but there are plenty of servers in the world that are run by people that have no idea it even exists. So browser makers chose to remove the ftp functionality since so few people ever use it.
