I've been runing debian as a server, and on my desktops for years now.. I have never heard of a case of a backdoor being put in a debian package.. the debian security team is very thurough, and the structure of the group provides a great way for things to get checked out before they hit release.

Debian is very well known for it's security and stability. The only thing people complain about is the old-style text installer.. and it's slow release cycle (stability is favored over bleeding edge software)

To become a debian maintainer, you must prove yourself by building your packages to some fairly high standards, submiting them for review, and then waiting for them to be aproved. this isn't an easy process.. I know several debian developers, and they are very talented people.

as far as the previously commented redhat security, the security in redhat 7.x and newer comes from a set of good default firewall rules.. the services are running, but unless you explicitly turn off the firewall, the only inbound connections allowed is DHCP.. even ssh is defaulted to not allow from outside.

and with current redhat 7.2 and later, you get redhat update, which is very similar to windows update, and provides an icon that shows you the status of the security patches.. a nice little red exclamation point is shown when things need updating.