I love Debian, but this is a genuine deal that many people don't know about. It also compounds if you're on Ubuntu as sometimes Canonical adds their own patches too. If you're just using Debian as a base OS to serve your own software, it doesn't matter as much but still does somewhat. It's not unusual for Debian-specific patches to be applied by the package maintainers in order to fix build errors, mismatched dependencies, etc. Most of the time those patches are harmless, but sometimes they are not. There have been security vulnerabilities for example that only existed in the Debian-based package of software. No distro is perfect and I don't intend this as a criticism of Debian (as they have legitimate reasons for doing what they do), and no distro (not even Arch) ships everything without any patches, but in my years of experience I've bumped my head on this in Debian several times.
Currently on mobile and going from memory, but I remember having to push out quick patches for something around 2020-ish or late 2010s? The tip of my tongue says it was a use-after-free vuln in a patch to openssl, but I can't remember with confidence. I'll see if I can find it once I get home.
Worth noting lest I give the wrong impression, I don't think security is a reason to avoid Debian. For me the hacked up kernels and old packages have been much more the pain points, though I mostly stopped doing that work a few years ago. As a regular user (unless you're compiling lots of software yourself) it's a non-issue
