Yes, hardware that old can be a security risk. As a specific example, speculative execution side channel CPU attacks, which cannot be fully fixed in software.
Supermicro X9SCM-F can socket Xeon E3-1200 v2 series. Per Intel security guidance, that family is discontinued. In theory, a BIOS update would get some fixes up until Intel stopped releasing microcode for this CPU, but the Supermicro BIOS updates I found appeared to be too old to have any fixes.
Hardware level security flaws of this category are not easy to exploit, requires untrusted code that exercises the CPU in a very specific way. Unlikely to be targeted at most organization's risk levels, but concerning in that it bypasses many isolation techniques.
As to not needing the OS to exploit a hardware vulnerability over the internet, out of band management is risky. Do not put IPMI or similar on the internet, especially when there will be no more security updates for that server model.
In a different category of risk, you are not likely to get help with this hardware. Hardware and software support might not help you, and parts may not be available.
Ports 80 and 443 are only accessible from the internet behind NAT.
NAT does not provide security. Firewalls do. An equilviant packet filter in an IPv6 only network with zero NAT would be similarly secure.