I think calling it "a Luddite thing" is perhaps a little overkill.
Sure, it's easy enough to scale Wordpress, but I literally won't use 99% of the features that Wordpress offers, and all those features are potential attack vectors. On top of that, with every blog engine / CMS I've ever used (including the ones I'd custom-written), at some point I end up needing to use an iframe with static content because a CMS is only so flexible.
Instead of all that, I can put up a static page that is infinitely flexible, use Disqus for comments, and be pretty much free of risk. No database to hack into, no patches to apply, etc. On top of all that, it's even easier than using Wordpress.
So, while I don't disagree that there are people using Jekyll and ilk to rebel against Wordpress, an equally valid wonderment would be in trying to figure out how Wordpress got so carried away.
Editing to add that your approach is pretty much the same thing I did, but in Django instead of Ruby. I kept using the "CMS"-like methods of Django, but then completely render them out as static pages to be published to S3.
You sum up exactly why I've long since not cared about WordPress, but you seem to assume anything dynamic has to have an admin interface.
The ideal engine for me still uses flat files for content, but doesn't compile the files to HTML. Let a cache like Varnish handle the load. That way I can implement things like comments without running off to the latest service-of-the-month that might shut down and take everything with them.
So what's an example of a flat file that isn't HTML? If you have flat files, what value does Varnish provide?
If you're accepting use input to write files, then you have vulnerability. I'm not saying you do or don't, but it's an attack vector. As for Disqus, sure, I'm at their whimsy when it comes to security, but they haven't bitten me yet, and I'd hardly consider them fly-by-night as they've been around for years now, and has been profitable since their first year.
For what it's worth, I wasn't considering the admin site as vulnerable, as those are generally disabled before deploying, but if you're running a database, or varnish, or Apache, or whatever, your risk is increased for vulnerability, but I suppose that's neither here nor there really, as I think it comes down to a matter of taste and, as you said, I'm trading system vulnerability for third party vulnerability. The upside though is that while sure, somebody could munge my site up, fixing it is just uploading another copy.