Currently on mobile and going from memory, but I remember having to push out quick patches for something around 2020-ish or late 2010s? The tip of my tongue says it was a use-after-free vuln in a patch to openssl, but I can't remember with confidence. I'll see if I can find it once I get home.

Worth noting lest I give the wrong impression, I don't think security is a reason to avoid Debian. For me the hacked up kernels and old packages have been much more the pain points, though I mostly stopped doing that work a few years ago. As a regular user (unless you're compiling lots of software yourself) it's a non-issue

In general, most responsibly reported CVE allow several weeks for the patch fixes to propagate into the ecosystems before public disclosure.

Once an OS is no longer actively supported, it will begin to accumulate known problems if the attack surface is large.

Thus, a legacy complex-monolith or Desktop host often rots quicker than a bag of avocados. =3