[christophilus]

You do need to at least: set up automatic security patching (a one-line command), turn off password authentication, disable root, and probably run ufw or something. It’s not hard, but it is slightly more effort than Heroku.

[D13Fd]

The hard part is making sure this random list of things I found on the internet is sufficient to keep the site secure, and taking the blame if it turns out not to be.

[Handytinge]

As opposed to trusting the random black box company on the internet? Don't you take the blame still for picking a company whose product you are unable to do due diligence on?