[OrangeMonkey]

For droplets and ec2, you 'own' the inside of the virtual machine and its your responsibility to install software that you need and patch it according to a routine schedule.

That said, both services have firewall rules you put in place that help manage this. IE - you may expose SSH to your local ip address, but only port 80/443 for the rest of the world.

You are right though - its another attack vector. If you don't want to muck with that, and you have a static site, you could put your static site into S3 and then host with cloudfront. With that, you have no risk.