As everyone has, I built my own static site generator called Fairytale (https://github.com/46Bit/fairytale). Unlike a lot of them, it wasn't intended as a simple magic-incantation tool: I reimplemented the relevant parts of Sinatra for static-site compilation. You program everything and in development can just use the sinatra gem instead of the fairytale one to get a server.
I've been using it on https://46bit.com for something like a year now, and the thing I've realised is that it's largely a luddite thing. The movement is a rebellion against POS software like Wordpress, but ignores the fact that building a nice, Markdown-driven app with caching and a lovely interface is actually quite easy & friendlier in the long run.
It might be great for people afraid of servers, but I'm not. I don't want to be - I'm still serving a bunch of dynamic apps off the same two servers I use for a few static sites, and I enjoy learning how to tune them.
I'm planning to transition away from static sites. Initially to just serving a Sinatra app, then later to a custom Padrino or Rails blog engine. Would love to hear if anyone's got any suggestions for something off-the-shelf and hacker friendly in Ruby though.
I think calling it "a Luddite thing" is perhaps a little overkill.
Sure, it's easy enough to scale Wordpress, but I literally won't use 99% of the features that Wordpress offers, and all those features are potential attack vectors. On top of that, with every blog engine / CMS I've ever used (including the ones I'd custom-written), at some point I end up needing to use an iframe with static content because a CMS is only so flexible.
Instead of all that, I can put up a static page that is infinitely flexible, use Disqus for comments, and be pretty much free of risk. No database to hack into, no patches to apply, etc. On top of all that, it's even easier than using Wordpress.
So, while I don't disagree that there are people using Jekyll and ilk to rebel against Wordpress, an equally valid wonderment would be in trying to figure out how Wordpress got so carried away.
Editing to add that your approach is pretty much the same thing I did, but in Django instead of Ruby. I kept using the "CMS"-like methods of Django, but then completely render them out as static pages to be published to S3.
You sum up exactly why I've long since not cared about WordPress, but you seem to assume anything dynamic has to have an admin interface.
The ideal engine for me still uses flat files for content, but doesn't compile the files to HTML. Let a cache like Varnish handle the load. That way I can implement things like comments without running off to the latest service-of-the-month that might shut down and take everything with them.
So what's an example of a flat file that isn't HTML? If you have flat files, what value does Varnish provide?
If you're accepting use input to write files, then you have vulnerability. I'm not saying you do or don't, but it's an attack vector. As for Disqus, sure, I'm at their whimsy when it comes to security, but they haven't bitten me yet, and I'd hardly consider them fly-by-night as they've been around for years now, and has been profitable since their first year.
For what it's worth, I wasn't considering the admin site as vulnerable, as those are generally disabled before deploying, but if you're running a database, or varnish, or Apache, or whatever, your risk is increased for vulnerability, but I suppose that's neither here nor there really, as I think it comes down to a matter of taste and, as you said, I'm trading system vulnerability for third party vulnerability. The upside though is that while sure, somebody could munge my site up, fixing it is just uploading another copy.