It is plausible to run a service on a $5 VPS. Pay $120 ahead of time and you have it for two years. I don't know why you think it would be so fragile. It wouldn't be difficult to run locally either.
Pretty hard to own a VPS which has no external ports open, even if the software on it is years out of date. In fact, updating software is probably a bigger security risk than not doing so, because you never know when someone manages to package a malicious bit of code into a common debian package.
Also, if it did get owned, I'd just have to spend a few hours rebuilding it - no bitcoin wallets or anything to steal on there.
Fair point about updates being a mixed bag. But “no ports open” doesn’t always mean safe. Maybe someone can pass some evil bits inside transaction metadata? (Disclaimer: no idea what I’m talking about w/r/t transactions, or how much parsing you’re doing)
If that were possible it would be exploited on every instance of the insecure software. Luckily what you are saying is far fetched. Why is it that you think a VPS is some fragile thing that is sure to be exploited? There are literally millions of instances chugging away, serving up files. Let's use our best judgement.
Sound like FUD, what reason do you have to think a VPS set up correctly would have such a high probability of being exploited? What numbers do you have that show this is common?
(Also, again, someone could easily run something locally)