How bad is setting MySQL's bind-address to 0.0.0.0?

I think you are misunderstanding the bind-address setting a little. These are the local addresses that MySQL will listen for connections. The default is 0.0.0.0 which is all interfaces. This setting does not restrict which IPs can access the server, unless you specified 127.0.0.1 for localhost only.

If you need to restrict certain users from specific IP addresses, utilize create/grant user like this CREATE USER 'bobdole'@'192.168.10.221';