One of the big issues here that is only very very slightly glossed over is the security you give up. The only sort of security filtering you get is AWS' WAF, which is considerably weaker than a firewall like mod_security with a default ruleset, or even apache's .htaccess. Inbound filtering, you're limited to a tiny ruleset with only a few conditions, and outbound filtering doesn't exist at all.
This lack of firewalling continues up and down the stack. As such, it's a lot harder to create rules regarding any API calls you make to third party services, harder to audit how your app interacts with any datastores, and generally an administrative nightmare. It may be useful for some apps, but just feels like a nightmare to maintain for any decently sized setup.
The sales pitch is that the fabric vendor does the administration, and people like you are out of a job.
Because the framework infrastructure is supposed to solve all of that behind the curtains, so developers cannot shoot themselves in the foot. (Other than through excessive resource consumption)
This may definitely be a concern for some organizations, but I think there's a lot of focus on serverless being all about apis and web requests. Serverless is also a great way to manage stream processing, and job queues - where these issues are less relevant.
This lack of firewalling continues up and down the stack. As such, it's a lot harder to create rules regarding any API calls you make to third party services, harder to audit how your app interacts with any datastores, and generally an administrative nightmare. It may be useful for some apps, but just feels like a nightmare to maintain for any decently sized setup.