I'm assuming Debian stable gets prompt security patches ?

Yep. They're usually out extremely quickly after the first public disclosure. I suggest that you subscribe to debian-security-announce for a while to get an idea of when the update announcements are made vs the original vulnerability.

They're easy to apply, too:

# apt-get update
(update the package database with the new version numbers)
# apt-get upgrade
(download and install the new versions)

The one downside is that it's not just desktop packages that are behind. Examine carefully what you actually need, because it might not be in there.