I know open source projects that update their code every 30 days. Unless you're continuously and permanently monitoring every patch of every library then this isn't true.
Run the Debian Stable version and you're spared such churn. The version you're running may lag the current one by a few points but that is a small price to pay for relative stability (as in 'know your daemons'). Security fixes are backported but new functionality is not. While not a perfect guarantee - remember the weak key debacle - this strategy does provide a stable baseline which, in contrast to proprietary software [1], can be audited for telemetry/data leaks/etc.
[12] yes, yes, yes, it is possible to run that proprietary tool through Ghidra (et al) to look for nasties as well but this is far harder, you don't just run a diff between two binaries.
[12] yes, yes, yes, it is possible to run that proprietary tool through Ghidra (et al) to look for nasties as well but this is far harder, you don't just run a diff between two binaries.