Yes! The probability of a security vulnerability in the Apache install whose httpd.conf you had to write, running on a VPS you have to patch yourself, versus the probability of a security vulnerability in S3/CloudFront are indeed vastly different.
2) As for probability - I had zero security incidents on my personal website / blog in 15 years. And I did not spend my life patching things. Just few minutes every once in a while. Keep this FUD for uninformed.
These are the kinds of trade offs we make.