Yes, they can be easily hacked. For one simple reason - you are not a professional in securing linux servers, since you asked your question here. So there's a good chance you'll miss something.

Either they get hacked or not
Security is a process Linux itself is pretty well protected
But your Django application may contain errors look towards OWASP to avoid the most obvious

In theory, they can, especially considering how many holes and zeroes there are in Linux.
But your methods completely reduce this probability to zero.
True, I would not advise the ancient Debian with rotten packages, but some CentOS or Ubuntu.

Regarding ssh and nginx: it's better to open nginx on a public ip, and ssh on a private one.

Think more about the architecture, you need to ask the question of how to reduce the likelihood of access to sensitive data before the attack is detected and blocked by you.
You also need to look in the direction of architecture: the web server is in the DMZ, the Jango application is in another segment, the base is in another. Access from the Internet only to the DMZ server on the user port (tcp443), the admin panel is available from inside the network from another segment where your PC is.

Allow SSH in the firewall only from certain IPs. (for example, from your external, home) Then they definitely won’t climb on it. Well, about the security of the web server, think for yourself, it depends on the application

And how can you improve its security?

ssh by key, nginx prohibits uploading files, only reading to the directory with php (python)

All the advice is correct, but the main thing is to read the news of specialized sites every day.
A 0-day vulnerability in Exim led to hundreds of thousands of Linux servers being hacked around the world.

Django vulnerabilities are pouring in from a cornucopia. So, if they want to hack, they will hack. It should be treated as untrusted code as JS by default in browsers. If this valuable data is issued by this engine, then you can forget about their secrecy. You can only protect it by closing the Web server from the outside, and allow access only through a VPN, for example, by forwarding ports through ssh. Then only customers will be the weak point. However, in these times of huge botnets, this is not at all a guarantee of protection.