[bitlevel]

Because it's not conjusive to a minimal attack surface - by way of example: https://www.helpnetsecurity.com/2019/02/13/cve-2019-7304/

[Osiris]

Not to completely minimize it, but that says local attacker, not remote attacker. So someone would still have to gain access to the system in question in the first place.

[phone8675309]

Just because a server is headless does not mean that it isn't interactive in some way or running some user-submitted scripts or code.

Also, compromising a service running as a user (not root) would be sufficient to then escalate.