There’s an added advantage to running your own server or VM. Heroku is a big, juicy attack target. Your little side project is not. If you take the basic precautions, your VPS will probably be just fine unless you become super successful and a juicy target in your own right.
The security history of VPS’ don’t lend much credibility to your argument. It was a running gag for awhile how frequently Linode was getting owned up (they may be great now this was a while ago).