You're conflating "boring" with "solved problems," which is fair, but the distinction matters for security.
Postgres/Node/Redis requires you to understand replication, connection handling, secret rotation, network isolation. That knowledge gap is where vulns hide. Lambda/DynamoDB/SQS pushes those problems onto AWS, which is great until you misconfigure IAM or assume the default encryption is enough.
Boring tech isn't about whether it's popular. It's whether you can reason about its failure modes without consulting twelve blog posts. Most teams can't actually do that with either stack.
The zero-ops claim doesn't hold up under attack either. I've seen way more Lambda security incidents than Postgres ones, mostly because people treat AWS services like magic.