tyrro
For just a few servers or a few sites that's not on DigitalOcean you're right about the pricing. But if you have many servers and / or sites then it compares favorably (or better) to other folks with per-site or per-server pricing since it's unlimited servers and sites.
(But you don't have to pay anything if you don't want. You can probably write your own providers by following the digital-ocean example for anything with a rest api.)
WordPress core is likely far more secure that most other things give the sheer amount of attention it gets. But, yeah, if you do silly things around security like weak passwords or unvetted additional plugins of fail to use a 2FA solution, you'll have an issue. (I never understand why anyone would state something is insecure and worried about it being easily hacked and then go on to recommend it to their clients anyway - it's a really weird dichotomy in logic I see all the time in the WP world that doesn't exist in most other software ecosystems.)
Plus there are security audits on the thing that are public which is more transparent than many other folks who's running god knows what on their SaaS codebase.
All those words are just my argument to not dismiss it out of hand if you're looking for an alternative.