Agree - an up-to-date system running only nginx and fail2ban is likely to be more secure than some vendor's who-knows-what's-on-it image which exposes various "services".

That's not really fair, zero days will always exist.

In order to be fair, threat models should be taken into account. People seem to be conflating nation state operations using advanced capabilities worth at least hundreds of thousands of dollars to compromise high value targets/infrastructure with "my pet project may get 0 day'd" which is the exact opposite of being fair. Moreover, if the argument is "zero days will always exist" you may as well stop using technology entirely.

What setup is immune to zero days?

S3, Github, Netlify etc are going to be infinitely more secure than your home setup.

And are basically free.

But no more immune to zero days

theyre not immune to 0-days tho.

they just have more staff on hand to respond, run updates, and do the due diligence of checking and implementing patches.