Why do you say so?
Critical security fixing time is years, not days. Also in practice, a lot of people use PPAs to get work done, and this is a critical component in an audited system.
I’m just gonna leave these here:
[1] https://security-tracker.debian.org/
[2] https://security.archlinux.org/
...then everyone can compare upstream/downstream fixing times for themselves.
Remember: “not yet assigned” is equivalent to “not fixed”.
Why do you say so?