I personally would lean towards nearlyfreespeech.net as a first choice. They seem to be highly robust. At least this holds until we get to sites that need a full daemon.
I always wonder, for folks who self-host on Droplets or EC2 - how do you handle provisioning the server to ensure that it's secure and has everything you need? I use Laravel Forge for this. I'm not a server admin and don't want to pretend to be.
For droplets and ec2, you 'own' the inside of the virtual machine and its your responsibility to install software that you need and patch it according to a routine schedule.
That said, both services have firewall rules you put in place that help manage this. IE - you may expose SSH to your local ip address, but only port 80/443 for the rest of the world.
You are right though - its another attack vector. If you don't want to muck with that, and you have a static site, you could put your static site into S3 and then host with cloudfront. With that, you have no risk.
For personal sites or ones that do not matter that much:
* Digital Ocean
* Amazon Lightsail
For sites related to your livelihood or that matter a good bit:
* AWS works well for me.