The problem with Debian is their insistence on "stability" by not updating the packages. In the modern world, when software development speed picked up steam quite a lot, releases of new software happen much more often than distribution life cycles.

That's one of Debian's key value propositions. "In the modern world", updates introduce zero-day vulnerabilities, critical bugs and unproven features. Debian is the rock solid foundation you can always count on.

alphager

On the flip side, Debian doesn't upgrade to a new version when a vulnerability is found in the shipped version. Instead, they try to backport just the fix.

If Debian shipped version n and the upstream fixes the vulnerability in version n+5 (not unusual, as debian stable is routinely out of date for 2-4 years depending on the length of the testing freeze and the point in time of the stable lifecycle), this can range from trivial to near impossible in a timely manner.

They also tend to be opinionated about the software they ship and do include many Debian-specific patches. Most of them are harmless or just small changes to make the software work better with the Debian way of configuring things; sometimes much more catastrophic: https://github.com/g0tmi1k/debian-ssh