Does removing a GUI from a server make it less vulnerable?

Removing the GUI is useful and recommended. It will remove unused components, a lot of libraries, and makes the install size smaller.

How does this make it less vulnerable?

Fewer components equal less attack surface. A vulnerability on a GUI component will not affect you. Attacks relying on GUI components won't work either.

So, when designing a server, remove every single component not needed by the application you are serving. It will be way more secure than using the default install.

Removing the GUI also has the side effect of making it a bit more "human safe" because put bluntly, it makes the OS more idiot proof.

There are countless stories of small businesses having users reading mail and browsing the internet on the company DC. The user opens a bad attachment and suddenly everything is on fire. Simply removing the GUI from server prevents this sort of thing from happening.

Another useful side to this is protecting servers from sysadmins. The general consensus is that you should not be running standard user programs on a server but instead in containers/somewhere else. I've stumbled upon a few servers in my time running CCleaner. While the use of the tool is arguable, it has absolutely no place running on a DC because it simply isn't designed for servers.

Most of these aren't mistakes that any experience sysadmin would make. Security of an enterprise, however, is based on the weakest link. If all of your other sites are extraordinarily well secured but one manager decides that Bob from finance needs a faster computer to work on spreadsheets but doesn't want to purchase one and decides to let him into the server closet, you're in trouble if he manages to sign in.