HTTP/1.1 is far easier to implement, thus it is reasonable to assume it should contain fewer bugs.

HTTP/2 (and HTTP/3) is vastly different in features (added multiplexing, windowing, HPACK etc). All this transforms a largely stateless connection (in the HTTP/1.1 case) to a stateful one. And in order to maintain the stateful connection, you need to store some data (state, configuration etc), thus all these problems.

Also, in HTTP/2, since multiplexing is added, the protection characteristics are different. For example, if the connections were generated by CDN source draws, you may just allow fewer number of connections each with a large pool of multiplex channels, but if the connections were from direct user access, you may then want to allow large number of connections, but each with fewer number of multiplex channels. In HTTP/1, protection is much simpler, since everybody looked almost the same.

Correction: statement "reasonable to assume it should contain fewer bugs" is not true. The correct idea is "it should be is easier to implement HTTP/1.1 server safely because HTTP/1.1 is a simpler protocol compare to HTTP/2".

Fortunately, continuation frames don't exist in HTTP/3.

QUIC protocol itself is certainly sophisticated, but implementing it might be a different story. I'm still skeptical about the overall "safety"/protection of HTTP/3.

A QUIC UDP server is definitely going to need to store state data to maintain a connection/session, and now you also have the good old UDP security (packet flood protection etc) mixed in. I guess time will tell.

Upgrading merely to upgrade is not good engineering practice. If you expect to receive no additional benefits from the upgrade then it is probably not justified.

In ideal world yes. But most of the open source packages fixes security issue only for the last 1-2 major versions. Which means upgrading just to upgrade is a good practice as you don't have to worry about package changes at the moment of upgrading to fix security issue.

Unfortunately, there's also a lot of parroting that upgrading is a "best" practice.

COBOL was great until it wasn't.

Would not say that COBOL is still great (never wrote it) but the main problems in COBOL horror stories usually mismanagement and underinvestment, not the technology.

Not necessarily. Everyone saying HTTP/1.1 is simple has never implemented a full real-world-compatible parser for it.

HTTP/1 has lots of unobvious edge cases, and legacy quirks. Text format has way more flexibility than it seems from valid headers. It has obscure features like multi-line headers and old MIME features, 100-continue race conditions, custom hop-by-hop headers, GET bodies.

Fortunately new HTTP RFCs document many pitfalls. If you just implement what RFC 2616 said, you won't have a safe implementation.

Actual size of a request or response can be specified in multiple ways (at the same time, with conflicting values), and depends on a combination of several features, and values of headers with weird parsing rules needed for backwards compat, so "simple" HTTP implementations can be tricked into request smuggling.

Either way you need a robust, well-tested mature implementation.

I was wondering about that. It is more mature an less complex so it seems probable it is safer.

Probably. HTTP/2 is good for streaming, and even that is being replaced by newer protocols.

For normal asset serving the only advantage is more assets can be loaded in parallel since HTTP/1 is limited on connections per domain. CDNs on different domains usually prevent this from being an issue.

In theory you could serve unbundled JS assets via HTTP/2, but I have never seen it in production. Likely because you still need a compilation step most of the time.