> What’s the most secure OS for servers? Why?
The one you built yourself with a kernel stripped down to a TCP stack and a few essentials, a bare userspace and bootloader, and just enough libc to support whatever you're serving.
Why? Minimal attack surface.
Why not? Most people won't spend the time to learn OS/distro building. It's a steep curve, maybe one or two years to master building a minimal viable OS with just a kernel and shell, doing something like Linux From Scratch [1] or similar [2], and then learning the ins and outs of (dpkg-tools/debconf type or similar) source package management way to roll your own bare-bones.
I don’t know how good they are and have never used any, but there’s tooling for building the ultimate stripped down kernel, unikernels (https://en.wikipedia.org/wiki/Unikernel)
A quick Google gives me https://nanovms.com/, https://github.com/solo-io/unik and https://github.com/rumpkernel/rumprun.
A disadvantage of such a stripped down system is that debugging such a system can be difficult. For example, if there’s only one process, you can’t open a shell to look around on a misbehaving system.