The choices aren't some purist notion of "secure" versus "not secure".
Security is a spectrum of practical choices informed by threat models, and it's only one (certainly important!) aspect of the complex choice of selecting an operating system.
For example, I would absolutely advise my mother in law to write complex passwords on sticky notes. She's far more likely to fall victim to credential stuffing than to have her apartment broken into and her passwords stolen, and I accept that trying to get her to use a password manager would certainly fail and she'd just fall back on reusing simple passwords.
A security purist who thinks in terms of "secure" or "not secure" would scoff that this. Writing down passwords! That cannot be done!
But given the threat model and an acceptance of expected user behavior, it's a perfectly valid choice.
If I'm running a Linux desktop, I've already made a more secure choice by getting out of the firing line of typical untargeted malware.
With some additional basic security hygiene, the greatest threats are a) phishing/social engineering, for which zero days aren't the primary concern, or b) targeted attacks where clearly they are.
As I'm not a target of interest, I'm not too terribly worried about the latter. As for the former, distro choice doesn't make much of a difference.
So yeah, given that threat model, I'm comfortable waiting the few days it takes for security fixes to trickle down from sid to testing. And if I really cared, I'd follow the guidance mentioned in one of the links you posted, and just pull patches down from sid on an as-needed basis.
Switching to a completely different distro, by contrast, would be a ridiculous overreaction give the context and associated trade-offs.
The choices aren't some purist notion of "secure" versus "not secure".
Security is a spectrum of practical choices informed by threat models, and it's only one (certainly important!) aspect of the complex choice of selecting an operating system.
For example, I would absolutely advise my mother in law to write complex passwords on sticky notes. She's far more likely to fall victim to credential stuffing than to have her apartment broken into and her passwords stolen, and I accept that trying to get her to use a password manager would certainly fail and she'd just fall back on reusing simple passwords.
A security purist who thinks in terms of "secure" or "not secure" would scoff that this. Writing down passwords! That cannot be done!
But given the threat model and an acceptance of expected user behavior, it's a perfectly valid choice.
If I'm running a Linux desktop, I've already made a more secure choice by getting out of the firing line of typical untargeted malware.
With some additional basic security hygiene, the greatest threats are a) phishing/social engineering, for which zero days aren't the primary concern, or b) targeted attacks where clearly they are.
As I'm not a target of interest, I'm not too terribly worried about the latter. As for the former, distro choice doesn't make much of a difference.
So yeah, given that threat model, I'm comfortable waiting the few days it takes for security fixes to trickle down from sid to testing. And if I really cared, I'd follow the guidance mentioned in one of the links you posted, and just pull patches down from sid on an as-needed basis.
Switching to a completely different distro, by contrast, would be a ridiculous overreaction give the context and associated trade-offs.