I had a quick read. Yes your right it doesn't require client-side js. It essentially functions as any "real" "normal" webserver would without it and doesn't do all the "event-driven" stuff which kinda makes using it pointless.

But anyway, this is the way I see it.

Normal websites only have to worry about automated vulnerability scanners, weak admin passwords and common misconfigurations when it comes to security.

BitcoinTalk.org is in a different kind of situation. It is in the cross-fire of cyber-warfare. Plenty of malicious hackers use this website for nefarious and non-nefarious reasons. It is likely to be the target of 0day exploits. Anything that runs on BitcoinTalk.org needs to be battle-hardened. We should be running OLD software that is known to be highly secure and stable. 3 year old web servers are a definite no go. We should be using 30 year old web server software. Some hacker would be browsing the forums one day, accidentally break something some hipster wrote yesterday and then realize they've just found a 0day in node.js and decide to own the forum.