Yes, but the web server is just reading files from disk and not invoking an application server. So if you keep your web server up to date, you are at a much lesser risk than if you would also have to keep your application + programming environment secure.

That really depends on the web server, and the web app you'd otherwise be writing. If it's a shitty static web server, than a JVM or BEAM based web app might be safer actually.

Uh, yeah, I thought about Nginx or Apache and would expect them to be more secure then your average self-written application.

a static site is served by a webserver, but the software to generate it runs elsewhere.

Yes. And a web server has an attack surface, no?

I think it’s reasonable to understand that nginx/caddy serving static files (or better yet a public s3 bucket doing so) is way, way less of a risk than a dynamic application.

Of course, that’s true for those web servers. If kept up to date. If not, the attack surface is actually huge because exploits are well known.

What are these huge attack surfaces that you are talking about? Any links?