Quoting Brian May (brian@microcomaustralia.com.au):
For me the benefit Ubuntu has it that I get daily security updates that rarely break anything (yes I know it does happen) without having to do a daily upgrade to the latest Debian/testing (which ends up taking significant time, especially if you have multiple computers to maintain and/or if things break badly) while at the same time not falling behind as much as Debian/stable.
What you describe resulting from 'doing a daily upgrade to te latest Debian/testing' implies doing something like 'apt-get dist-upgrade', which indeed hogs a lot of time and bandwidth -- especially if you've made the error of doing a kitchen-sink installation -- but is completely unnecessary: The interesting thing about Debian's security updates (as detailed on the debian-security-announce mailing list, http://lists.debian.org/debian-security-announce/) is that, upon examination, you find that 95% are either irrelevant to your installed system for one reason or another (package not installed, threat model applies only to a particular configuration you don't have), or is intended to fix theoretical vulnerabilities so far-fetched that there's no hurry dealing with them. In 2011 so far, there have been 211 postings to that mailing list (whose postings I skim-read). Of those, 42 were package updates that were _potentially_ applicable to my Debian servers, and 42 were _potentially_ applicable to my Debian workstation. However, the actual number of relevant updates has been much smaller than that. Let's consider the 42 workstation packages, and spot/weed out the ones that can be ignored: DSA-2141-2, nss: This addressed the far-fetched TLS man-in-the-middle scenario in January, which I already render irrelevant in other ways. DSA-2142-1, dpkg directory traversal: Far-fetched attack on .deb source-code packages that are in 3.0 quilt format. DSA 2149-1: local DoS against dbus; not much of an attack. Carefully crafted system messages could cause an instance of dbus to segfault, but it'd launch another, so not a big deal. DSA 2151-1 (still January): Set of OO.o bugs whereby malicious RTF documents, XML filters, TGA (Targa) graphics files, MS-Word files could 'potentially execute arbitrary code' as the local user, which means there's no exploit and may never be but you should get around to upgrading on general principle. I didn't bother, but instead just gave OO.o the heave-ho when LibreOffice came out. DSA 2152-1, hplip: irrelevant because I don't use the SNMP discovery code. DSA 2153-1, linux-2.6: Almost entirely bugs in drivers and subsystems I don't use, except some minor information leakage and several local-user DoS bugs, meriting eventually kernel upgrade when convenient but not urgently. DSA 2164-1, shadow: Farfetched, and I don't use NIS. DSA 2176-1, cups: Basically, DoSing the print daemon with malformed files, in which case it segfaults and cupsd forks/execs another copy. DSA 2200-1: iceweasel: Blacklisting several fraudulent SSL certs issued by Comodo, which is nice but I'd already manually removed the Comodo root cert. DSA 2203-1: nss: Same Comodo certs, already dealt with locally. DSA 2213-1: x11-xserver-utils (xrdb utility): So-called remote attack if remote X11 is enabled (who does that?) or there's a 'rogue DHCP server' on the local LAN issuing 'crafted hostnames' that might in some farfetched scenario possibly stack-smash the xrdb utility that might in theory escalate privilege. Farfetched, no hurry. DSA 2217-1, dhcp3: 'Rogue DHCP server' could send DHCP client shell meta-characters that could speculatively maybe some day lead to an explotiable way to execute arbitrary code as the dhclient user. Farfetched, and moreover irrelevant because I have DHCLIENT_SET_HOSTNAME="no". DSA 2240-1, linux-2.6: Various kernel bugs, all of them in drivers and subsystems I don't use, except for one about video support for AGP devices, which is irrelevant because my users aren't in group 'video'. DSA 2264-1, linux-2.6: As above. DSA 2265-1: perl: 'tainted' flag isn't always handled correctly, which is serious but irrelevant because I don't rely on it for anything. DSA 2267-1, perl: Perl's 'safe' module can sometimes be bypassed, which is serious but irrelevant because I don't rely on it for anything. DSA 2275-1, OO.o: Import filter for Lotus Word Pro is subject to theoretical, speculative attack as the local user, but this is irrelevant because I don't use Lotus Word Pro files. DSA-2287-1, libpng. Several bugs, the most serious of which can be used to make libpng grab lots of RAM, maybe fall over, and very speculatively maybe some day accomplish more mischief. Not urgent. DSA 2292-1, dhcp3. DoS: Remote attacker can make your DHCP client program fall over. Bummer. Annoying, but hardly a security emergency. DSA 2299-1, ca-certificates: Blacklisting Diginotar for incompetence as a CA. Irrelevant for the same reasons as the Comodo issues. DSA 2200-1, nss: Same. DSA 2300-2, nss: Diginotar round 2. See above. DSA 2303-1, linux-2.6: Mostly drivers and subsystems I don't use, except two that are minor information leakage (to fix when convenient, not an emergency) and a fascinating bug in TCP sequence number randomisation that merits a kernel upgrade (again) when convenient but not an emergency. (If your secret network transactions are accessible merely by guessing packet sequence numbers, you aren't doing security right.) DSA 2303-2, linux-2.6: Fixes a nasty bug introduced by the prior fix. (See? This is one reason to not be in a hurry except when haste is actually needed.) DSA 2310-1, linux-2.6: Again, almost entirely drivers and subsystems I don't use, excepting a couple of minor information leakage bugs. Merits kernel upgrade when convenient, not an emergency. DSA 2310-1, OO.o: Bugs in the MS-Word importer, which can cause OO.o Writer to fall over but so far probably not much else. Taking out the above 26 irrelevant or not-very-important updates, what does that leave? One fairly serious glibc update, one fairly serious PAM update, five updates each of iceweasel (Firefox) and icedove (Thunderbird), and four updates to freetype: 16 package updates, plus in some cases dependencies. So, _not_ 211 for the current year, but rather _16_. Plus a kernel upgrade or two whenever convenient. Also, because of my usage scenarios for Iceweasel and Icedove (well-tuned NoScript and RequestPolicy for Firefox, simple HTML display in Thunderbird), I actually ignore most upgrades with perfect safety because I've addressed threat vectors at other levels. Anyway, I hope you'll notice, _very_ few package upgrade result, if you bother to read the DSAs and fix only what's worth fixing -- and if you haven't installed the kitchen sink. By the way, if you have numerous Debian machines needing package updates, you do _not_ have them all fetch those in parallel. What you do is have each host's apt subsystem use a shared local Squid cache you establish for that purpose. That way, duplicate downloads are eliminated automatically.
Yes, things can and do do break badly in Ubuntu upgrades, but at least you only need to worry about these once every 6 months, not once every day.
As you see, you were misinformed. One just subscribes to the DSAs (very low traffic announce-only mailing list), skim-reads the occasional postings, ignores 95% as irrelevant, and acts on the remaining dozen-plus packages per year.