Does that actually happen in practice though? And as for the severity, we're talking desktops so the most critical piece of software is the browser. Firefox is the only piece of software I download outside of the repositories to make sure the updates come directly from the source, but other than that, openssh very rarely has serious vulnerabilities, to attack Thunderbird you'd already need to mitm my traffic... it's all rather unlikely.
The only guarantee that the Debian project makes is that the stable branch is the security team's main priority. In practice, I've found that unstable and testing usually get patches pretty quickly.
Also security updates? Wouldn't that make the new version insecure at launch until someone pushes a thousand security updates at once (making it kind of 'testing' again because none of these were in testing before and thus haven't been widely tested)?
You raise a good point since I notice I don't know the process as well as I thought I did, but it seems odd that the frozen testing repo would only get all security updates all at once months later.
IIRC, Debian testing doesn't have a separate channel for security updates. Security updates are handled like regular updates: they start on Debian unstable and then flow down to Debian testing.
The Debian wiki mentions that delays can be specially large after a new release comes out. I don't know if I was misremembering it or if it can be problematic both before and after a stable release comes out. Hopefully someone with more Debian experience can clear this up.
I don't know if anything actually shows up here, but you no longer get the error for security.debian.org when you try to upgrade via s/stable/testing/ in sources.list.
https://www.debian.org/security/faq#testing