[moehm]

Yes, but the web server is just reading files from disk and not invoking an application server. So if you keep your web server up to date, you are at a much lesser risk than if you would also have to keep your application + programming environment secure.

[manmal]

That really depends on the web server, and the web app you'd otherwise be writing. If it's a shitty static web server, than a JVM or BEAM based web app might be safer actually.

[moehm]

Uh, yeah, I thought about Nginx or Apache and would expect them to be more secure then your average self-written application.