> why can't I buy a glorified router box that does all of this?
Step 0 is to secure that box, as routers are obvious targets, even before they have self-hosted data. There are some products based on RPi, NAS and router form factors.
> suspicious absence of products in this space
Earlier efforts:
Apache Wave (federated)
Chandler
Diaspora
FreedomBox
Microsoft Groove (p2p)
Urbit.org
Sandstorm.io
Thanks for the links, however, everything above is off the mark, even NextCloud, which I once used to really like. The only problem is that you are instantly deep into the weeds that no PC/Apple consumer-civilian would ever wade into. Facebook and their ilk don't need a manual, and neither should a webserver with email server need a manual to get you started, just subdomain, email domain and username should get you started.
As for security, it is all a bit meh. If you have a box that only runs https: with no other ports open, you are half the way there. If you are just running static pages then you are done. If you run a NextCloud type of beast then you are opening things up, but my hunch is that it works just fine with nobody losing sleep on it.
One example might be the eero (now Amazon) router that is managed by cloud account and mobile device app. To get the simplicity you want, keep control plane in cloud and keep data on the edge device. Parts of the control plane could gradually migrate to the edge device over time, while retaining the same user-facing interface. But it would always be a challenge to "serve" content from home networks with NAT/CGNAT. Cloudflare Tunnel, Tailscale or similar proxy can help in some cases, e.g re-routing email to big providers that refuse to recognize self-hosted outbound.