Because, nginx is a hardened program used by thousands of companies with a strong interest in making sure there aren't vulnerabilities. Also, it is a program with a very narrow set of functions. Nginx vulnerabilities are comparatively rare: two security advisories in 2016, none in 2015. [0]
By comparison, app code is often developed rapidly and often only reviewed by at most a few people. Even companies staffed by brilliant minds like Google regularly have vulnerabilities in their application code.
It also takes somethings that would suck to learn the ruby version of, the php version of, the node version of, the python version of, etc., and does it faster, and allows you to isolate it from your application's complexity and business logic cleanly. Those things are serving static assests, SSL, and backend spliting. I cringe everytime I see a tutorial loading up the framework in a slow language like node or php to pass a static asset without the use of something like Apache or nginx.
