The ideal engine for me still uses flat files for content, but doesn't compile the files to HTML. Let a cache like Varnish handle the load. That way I can implement things like comments without running off to the latest service-of-the-month that might shut down and take everything with them.
If you're accepting use input to write files, then you have vulnerability. I'm not saying you do or don't, but it's an attack vector. As for Disqus, sure, I'm at their whimsy when it comes to security, but they haven't bitten me yet, and I'd hardly consider them fly-by-night as they've been around for years now, and has been profitable since their first year.
For what it's worth, I wasn't considering the admin site as vulnerable, as those are generally disabled before deploying, but if you're running a database, or varnish, or Apache, or whatever, your risk is increased for vulnerability, but I suppose that's neither here nor there really, as I think it comes down to a matter of taste and, as you said, I'm trading system vulnerability for third party vulnerability. The upside though is that while sure, somebody could munge my site up, fixing it is just uploading another copy.
Sorry, that's probably confusing language here. I was referring to structuring Markdown files in a flat-file database, not the concept of compiled HTML files.