Say I do everything right and still get compromised because an AWS 0-day lets attackers read the RAM of my virtual server. It’s my responsibility, but is it my fault?

There’s no such thing as a secure system that’s usable. You can asymptomatically approach it giving infinite money, in the same way you can approach physical security (“if it were really important to you, you would’ve cloned Fort Knox, so I guess you don’t care”) or even the speed of light. But even Fort Knox is vulnerable to a highly determined invading army.

Getting compromised doesn’t inherently mean you made mistakes.