You do need to at least: set up automatic security patching (a one-line command), turn off password authentication, disable root, and probably run ufw or something. It’s not hard, but it is slightly more effort than Heroku.
The hard part is making sure this random list of things I found on the internet is sufficient to keep the site secure, and taking the blame if it turns out not to be.
As opposed to trusting the random black box company on the internet? Don't you take the blame still for picking a company whose product you are unable to do due diligence on?
The OP wanted updates to happen in some automated fashion from a git repo. Also, didn't say specifically, but I'm guessing they wanted https and certificates.
Indeed. Besides GitHub integration, Automatic Certificate Management (ACM) is actually a feature I really appreciate on Heroku. Some might describe it as glorified Let’s Encrypt but nonetheless I appreciate things like that just working out of the box