Of course, it's trivial for a system that retains very little personal data (and really shouldn't be storing any) to comply with gdpr.
Besides the obvious "less data, fewer problems" angle there's also the bureaucracy angle - last time I worked on gdpr compliance I got stuck in the middle of a fight with security (who wants to store all the data for ever), the legal team specifically in charge of figuring out what's in scope for GDPR, and another more generic legal team (this one was the worst - they had no idea what the system does and ignored any attempts at explaining it, plus they kept pushing for unrelated often contradictory retention changes)
We did had some of the talks with lawyer about security (in particular logs) and general consensus was that as long as they are stored explicitly for that purpose and only that purpose it isn't a problem, they just have to be properly secured.
Logs like that fall under 6.1.b-f, basically "making sure malicious actor can't fuck with site" overrides needing to get permission to process that. Again, if they are used ONLY for that and are stored securely.
Same reason why security footage (which also falls under GDPR) doesn't need consent, only information visible onto property entrance informing who is processing that info.
Besides the obvious "less data, fewer problems" angle there's also the bureaucracy angle - last time I worked on gdpr compliance I got stuck in the middle of a fight with security (who wants to store all the data for ever), the legal team specifically in charge of figuring out what's in scope for GDPR, and another more generic legal team (this one was the worst - they had no idea what the system does and ignored any attempts at explaining it, plus they kept pushing for unrelated often contradictory retention changes)