Our security history is pretty good, and we provide a wide variety of security features like 2FA, TLS with Let's Encrypt certificates, various password and login policy options, etc.
I would argue that non-technical users are safer using Virtualmin (I can't speak to the security history or features of any other panels) than doing it themselves, because it's easy to make security mistakes when doing it yourself if you don't have a lot of time to research all the options. If someone can invest the time to learn how to manage all of their own services, and can invest the time to build out all of the security features included in a default Virtualmin installation, then absolutely removing the GUI is removing one vector of potential attack; you should always turn off services you don't need. But, based on history, I can say with reasonable confidence that Virtualmin is probably not going to be the way an attacker gets in (it's probably going to be weak passwords, old software, poorly designed custom web apps, etc.).
I would argue that non-technical users are safer using Virtualmin (I can't speak to the security history or features of any other panels) than doing it themselves, because it's easy to make security mistakes when doing it yourself if you don't have a lot of time to research all the options. If someone can invest the time to learn how to manage all of their own services, and can invest the time to build out all of the security features included in a default Virtualmin installation, then absolutely removing the GUI is removing one vector of potential attack; you should always turn off services you don't need. But, based on history, I can say with reasonable confidence that Virtualmin is probably not going to be the way an attacker gets in (it's probably going to be weak passwords, old software, poorly designed custom web apps, etc.).
Disclaimer: I work on Virtualmin.