I am one of the people to whom you refer. I read about fail2ban in a "Linux Server Bible" e-book around 2010 and have used it on all of my servers since, even though I am careful with my keys and use password-less login.
Does fail2ban have authorization to write firewall rules? That's a high-impact vector of attack, should fail2ban have a vulnerability. Also, does fail2ban store credentials that provide that authorization?