Dynamic sites are a strict superset of static sites. A static website will always be easier to host, and it will always have a smaller attack surface simply because less code is needed - especially custom one-off code.
There is no custom executable to run, there is no need for authentication, there is no need to write files to disk, there is no need to parse user-provided content, there is no need to access a database, there are no custom libraries to update... A static website can literally be "upload and forget", and that simply isn't the case for dynamic sites.
There is no custom executable to run, there is no need for authentication, there is no need to write files to disk, there is no need to parse user-provided content, there is no need to access a database, there are no custom libraries to update... A static website can literally be "upload and forget", and that simply isn't the case for dynamic sites.