I think it’s reasonable to understand that nginx/caddy serving static files (or better yet a public s3 bucket doing so) is way, way less of a risk than a dynamic application.

Of course, that’s true for those web servers. If kept up to date. If not, the attack surface is actually huge because exploits are well known.

What are these huge attack surfaces that you are talking about? Any links?