I feel you're looking a few levels into the decision tree of Hugo then using that level as the root of a decision tree to review all the other choices. There's not really a feasible way an individual can cut out a programming language or rebuild large portions of the stdlib like HTTPS and end up with something that's easy to maintain or reliable (or time feasible). There ARE easy ways an individual can generate static HTML without pulling in 1200 dependencies. Should there not have been a reasonable alternative to generating static pages that better aligned with the author's stated goals then sure, Hugo+Github would make just as much sense as pulling in the Linux, bash, and go dependencies did.
With GitHub I didn't catch that the reasons revolving around SLA/uptime percentages rather non-breaking change intervals and probability the service will exist usable as is in 10 years. Migrating to another host doesn't necessarily fix this unless there is a particular one to mention that will guarantee existence of the exact method of operation for the next decade and have a solid guarantee for the service to be offered as is for that long. The choices of Golang's stdlib and Linux provide reasonably solid choices in this regard as neither is going to change in a way that breaks deploying/running the site unless they _absolutely_ need to and both have about as big of support backing as one could reasonably expect to find so are unlikely to pull the rug out from the site on the premise of moving on to something newer and shinier like business offerings are often changed/deprecated for.
Certificates I definitely see a closer balance/argument on. On one hand the Github Pages way is really easy, they do it for you. On the other hand they are trying to avoid services that can disappear from them and are probably using ACME which seems to be pointed at Let's Encrypt right now. If for some reason Let's Encrypt did disappear though, which I'll be honest I'm on the side of that being less likely than some breaking change in the way an automated Github Pages hosted static site would function but I can see that being debated either way, at least it's not particularly hard to change the ACME provider for such a case. There may also be some personal sway on whether it's better to manage your own security certificates or not but I also can see that falling to either side depending on the person.
Regardless of choice the toolchain is going to have to be kept up to date to stay secure. There isn't any option to choose which is indefinitely secure and without security bugs.
With GitHub I didn't catch that the reasons revolving around SLA/uptime percentages rather non-breaking change intervals and probability the service will exist usable as is in 10 years. Migrating to another host doesn't necessarily fix this unless there is a particular one to mention that will guarantee existence of the exact method of operation for the next decade and have a solid guarantee for the service to be offered as is for that long. The choices of Golang's stdlib and Linux provide reasonably solid choices in this regard as neither is going to change in a way that breaks deploying/running the site unless they _absolutely_ need to and both have about as big of support backing as one could reasonably expect to find so are unlikely to pull the rug out from the site on the premise of moving on to something newer and shinier like business offerings are often changed/deprecated for.
Certificates I definitely see a closer balance/argument on. On one hand the Github Pages way is really easy, they do it for you. On the other hand they are trying to avoid services that can disappear from them and are probably using ACME which seems to be pointed at Let's Encrypt right now. If for some reason Let's Encrypt did disappear though, which I'll be honest I'm on the side of that being less likely than some breaking change in the way an automated Github Pages hosted static site would function but I can see that being debated either way, at least it's not particularly hard to change the ACME provider for such a case. There may also be some personal sway on whether it's better to manage your own security certificates or not but I also can see that falling to either side depending on the person.
Regardless of choice the toolchain is going to have to be kept up to date to stay secure. There isn't any option to choose which is indefinitely secure and without security bugs.