Is a Website Only With Static HTML Secure?

In short answer, Yes.

In the long answer, well, it really depends on the media from server to the clients it self. If your website only uses static HTML and is still hacked, then you need to pay attention to the following technical matters.

1. Server Side

HTML is the front layer that does not have direct access to the server. So some hacking methods to exploit the server cannot be done directly through HTML. However, by carrying out direct attacks on the server, the website that you create even with only static HTML is useless.
Server-side vulnerabilities in this case include, Operating System vulnerabilities, Network Misconfiguration, and loopholes of Applications used in that server.

2. Network

If the server is deemed secure enough, the next vulnerability is data transfer while on the network. Either when the user uploads via FTP, or when visitors have to deal with MITM attacks.

3. Client Side

In this case the device is used by you as a website owner. If your laptop or PC is not safe from viruses or malware, then your data related to access to the server will be easily stolen. So the attack is not directly to the server or via HTML, but directly to you to be able to get access to the server and then carry out hacking actions on the website that you create.

Long story short, basic protection is important from the safety of the website that we make. And this also applies to websites that we create dynamically.