I've often run Debian - if I open a fresh install and run Debsecan, I see CVE's posted 10+ years ago for software that should've been updated almost just as long ago. The Debian people say they prefer "stability" and "thorough package testing" before deployment - well, I've seen language change...