I get what you are saying, and if anything all the "attacks" in the logs should build you some confidence. Oh, so 98% of all attacks assume I haven't changed the root password? I must be ahead in the game then.
But the way you phrase it isn't really convincing, and for singling out 443 and 80 ports. As the subthread of breaches hint towards. You might not need to be worried about nginx, but whatever you host on nginx might be a problem and being "certain the software you use is secure" is also pretty darn useless as guidance.
How do you run software? Or if you are using managed hosting or a platform for running software, how exactly they solve this “security strictly < 1, have to run somehow” dilemma?
* Try to avoid it in the first place.
* Do research, minimize risk and make whatever compromises you are willing/able to make
* Isolate it
* Maintain, update and monitor it
You seem to include some absolute security, which is obviously nonexistent in this world (p!=0 for any event according to some models), into your internet exposure formula, when "minimize risk, make whatever compromises, update" is sufficient (to me) and everything above that is just worrying too much without having control. I think that's where we fundamentally disagree.
But the way you phrase it isn't really convincing, and for singling out 443 and 80 ports. As the subthread of breaches hint towards. You might not need to be worried about nginx, but whatever you host on nginx might be a problem and being "certain the software you use is secure" is also pretty darn useless as guidance.