[octotoad]

Security fixes are backported to Debian stable release packages. Any respectable, production-ready, stable/LTS distro does this.

Obviously you don't get the new features and functionality that may be introduced in an upstream major release, but security patches are covered.

[p1necone]

The extra work (presumably it's non trivial) to do this could be spent on further hardening the current version if they didn't need to be supported though.

[0815test]

Debian's current, supported version is the stable version. The reason why it's only released every two years and why it feels so 'old', is because it takes Debian Developers many months to "further harden" it before release. It wouldn't make sense to release it under a quicker schedule. Debian does offer "rolling" channels with prompt updates (testing, unstable) but those are officially not meant for real, production use.

[p1necone]

I'm not talking about Debian, I'm talking about the old versions of third party software shipped with Debian that have to continue being supported with security updates.