The one you built yourself with a kernel stripped down to a TCP stack and a few essentials, a bare userspace and bootloader, and just enough libc to support whatever you're serving.
Why? Minimal attack surface.
Why not? Most people won't spend the time to learn OS/distro building. It's a steep curve, maybe one or two years to master building a minimal viable OS with just a kernel and shell, doing something like Linux From Scratch [1] or similar [2], and then learning the ins and outs of (dpkg-tools/debconf type or similar) source package management way to roll your own bare-bones.
If the service is part of a larger distributed system, then network isolation (for the hosts it doesn’t need to reach), application level authn/authz (on the peer instances it does need to reach), and monitoring/alerting about the host’s behavior in its interactions with other hosts can all help to protect the larger system if the host is nevertheless compromised.
For “embedded” systems (and her I am including bare-metal single-function production servers), I would choose Yocto. It was designed from the ground up to build custom Linux distributions. Every component can be modified trivially, and many different systems can be built using them same components. There are many security features that integrate seamlessly through 3rd party “layers”: secure boot with full chain of trust, secure file systems, SELinux, and so on. It’s easy to extend the system with new “recipes” and “overlays”.
I am currently working on a IoT project that likely will include several edge servers, which will replace extant cloud services. Each system will run a custom kernel (using hand-crafted configurations) and read-only root filesystem (containing only those packages required for running that service). Aside from better utilizing our compute resources, this move will save tons of bandwidth for our customers.
Best of all, we will no longer need to trust our cloud provider to protect our systems and data. Those vendors have show their willingness to push small players in front of a bus, so I consider it outright foolish for most businesses to rely on them as their primary service provider.
I decided on NixOS.
The defaults start out locked down. The firewall has only port 22 open, so give your root user a decent password, and immediately set up your user with a public/private key, test it works then turn off root login via ssh and password logins.
NixOS also only installs what you configure, and remove what you don't, so if you like utils that are considered standard, like 'which', be sure to include them in your configuration.
With NixOS I feel like I know exactly what's on my system at any given time, and nothing should be there that I didn't put there by declaring I want it there.
I have my system set up to update daily so it gets security fixes immediately.
I also have a reproducible system built on a functional build tool called Nix. I can replicate the system easily. If I want lockfile level reproducibility (like rust or npm), I can use flakes.
Are there other distributions more focused solely on optimizing security? Maybe, but the core NixOS development are extremely security conscious and I trust them more than any other group of core distribution group.
Can you run one of the esoteric OSes mentioned here, with a default stance that is "more secure"? Sure. But, when something breaks, can you fix it? Will you be able to maintain it? Will others? If you are building a security _appliance_, like a firewall, I would say 100% run a default secure OS. If you are running a server, pick something you are good at maintaining, and maintain it. It's not perfect, but if you maintain it you'll do pretty well.
If you want to manage the servers yourself there are lots of options. I would choose Debian or Rocky Linux. FreeBSD is another choice. But you will need to spend lot of time and effort to harden your infrastructure.