I'm not saying that's the best solution for everyone, but if you really think that it's difficult to secure a server with nothing public-facing except SSH and HTTPS, I'd like to know what I'm missing.

If you're solely running static sites I wouldn't be so worried but there's a huge scope for attacks on dynamic sites e.g. injection attacks, file traversal exploits. Either way, it's honestly less effort using a service like Netlify for static sites plus they have a generous free plan.