That is why I no host.
Unless the system is kept up to date automatically it's going to be vulnerable to something.
All the web applications also seem to be exposed to the Internet directly which makes things even more dangerous. They all seem to be running PHP, presumably under the same user, so it probably takes only one security hole to compromise the whole thing.
Nowadays I am running Cloudron for these use cases. Here the big plus in apps is that each app runs on docker and has to use the Cloudron docker vase image (with very few paths having write access), through that apps and the server can easily backed up and restored in exactly the same state (user, data, apps installed).
But it's open source, so if you can life without the automatic updates and the app store (install apps and updates manually through their cli utility) you can still install more apps.
Their source repo at https://github.com/YunoHost/yunohost shows that it's a couple scripts bundled into a Debian installer. Their news feed even talks about which Debian version is supported: https://mastodon.social/@yunohost/100220968128029115
I don't trust a software provider that is either lying on their front page, or isn't competent enough to understand what their product is.
Linux can be also be an OS on its own, because its kernel<->userspace API is stable. This is not true of all kernels, for example macOS does not guarantee stability below libSystem.
Some people extend "operating system" up into userland tools that are bundled by the vendor or specified by a standard like POSIX, for example `ls` or `initd`. I think this is stretching the meaning a bit, because to the kernel there's no difference between `ls` and (for example) Firefox.
Of all the things to criticize, this seems like something to praise.