That particular outstandingly bad security bug, once. (There are other cases of bugs in Debian that aren't present in upstream - in particular, Debian packagers introduced enough bugs in cdrecord that the maintainer made future versions non-open-source as he felt that these bugs that were not his fault were hurting his reputation - but I don't have any stats, and I don't feel that the rate of bugs in Debian is particularly high compared to other projects if we set aside the security-specific aspects).

Regarding time to fix it, the bug was fixed about 2 weeks after it was reported, but it had been present for about 20 months (affecting all DSA keys generated on Debian systems during that time) - since security audits and researchers only look at the original upstream source, the bug was only spotted when a user noticed that two of the servers they were logging into had the same SSH key.