But teach me to fish: is this because Postgres is usually run with more layers of protection, and so it typically has more vulnerabilities compared to something that has to have an open port, like Nginx or Apache?
I think you’re on the right track. I don’t think it’s that one program type is inherently more prone to bugs or vulnerabilities than another, but rather, the difference is in the very nature of those programs.
A database (or other backend service) is designed to be run “behind the scenes”, as a component of a larger system. If it has network support, its usually there as a simple access method for other components in that system, and assumes a controlled, protected environment. Meanwhile, a program designed for the public internet is going to have more ability to deal with whatever madness can be thrown at it, because that’s the nature of the water it swims in.
A backend service could implement the same kind of protections as a frontend service, but I don’t think it’s worth it most of the time. Database authors are (presumably) experts in data storage and retrieval, not in network security. It seems sensible for the experts in a field to remain focused on that as much as possible, and leave it to a system integrator to figure out how to connect those pieces together into a working product.