Can a Linux web server which hasn't been restarted for years be secure?

The content of /proc/uptime reports:

48973211.37 1627573879.70

48973211 seconds mean the server is up for 567 days without a restart.

Since then many serious security fixes have been applied to the Linux kernel. Because my server was never restarted I must be missing all those patches. I am at a big web European web hoster. But I don't want to blame anyone so I won't tell the name.

It's a small web space. I have PHP + MySQL (nothing special).

I didn't try it out but it might be possible to run executables using PHP's exec() function making it possible to make kernel calls directly. But even if it's not possible I think the missing patches are a problem.

So how can that be secure? I know there are many different virtualization techniques around. Maybe one of them explains it?

No, a box up for that long is not secure.

General purpose operating systems should be rebooted multiple times a year, to take security (and quality) updates. All processes will be affected, as eventually there will be fixes for the application, C library, TLS library, and so on. Easier to take the entire system down and prove it can do a warm boot.

Live patching is a limited technology. Some enterprise distributions will go through the trouble of providing no reboot updates for very select, mostly security, kernel updates. But this cannot fix everything, the majority of applications have no such thing.

Assuming this is a VM guest, the hypervisor under it also needs occasional maintenance. Live migration or saving memory state can make the guest appear to keep running, even when it switches physical hosts. But this does nothing for patching the guest, which still needs its own updates.

When using managed hosting services, the compute guest and host are another person's responsibility, but you still can get assurances. Ask the provider what their software update policies are, in general. As in, do they explicitly take responsibility for this, and is the frequency quarterly or whatever. Not having an answer, or intentionally leaving things running for years, are indicators of incompetence.

If availability is the concern, they should have some multiple node high availability solution. Its not the uptime of any one host, but the overall service being provided.

No. Not secured.

Virtualization techniques like containerization can provide some level of security for a Linux web server, but they are not a substitute for regular updates and monitoring. While they can help isolate the server from potential threats, it's still important to keep the underlying operating system up-to-date and monitor for any issues.