Many risks are possible from a compromise including using the web server into a source of malware, creating a spam-sending relay, a web or TCP proxy, or other malicious activity.
The operating system and packages can be fully patched with security updates and the server can still be compromised based purely on a poor security configuration.