What would you see as bad practice, and which distros do better?
I think Debian is very good for someone that had some weeks working with Ubuntu and wants to go one step mor into independent distros. I mean it is the main distro for many others to upstream bug fixes.
So for stability it is absolutely great.
Debian freezes packages and only updates them during major OS upgrades or when a security fix has received a CVE. This means that if you use software that had a security issue that was fixed and not reported, it's certain you're vulnerable.
There were cases where we were aware of serious vulnerabilities that were fixed in software we used, for example our web server nginx but they did not get the fix in Debian because of no CVE assignment. We don't use Debian on any of our infrastructure. The assumption that every project obtains CVE assignments for each vulnerability is unrealistic.
You can also say the same thing about web browsers, which are dangerous to leave unlatched because they're some of the most widely desired software categories to exploit. Certain Debian users were hit with attack campaigns years ago because of their unpatched browsers.
Freezing updates for applications is anti-security, keeping apps up to date and patched is an extremely basic first security practice.
To answer your question, Fedora is better than most due to not having this package update problem and other problematic Debian quirks like their problematic app configuration and patch choices. All the Linux distributions lack in the OS and app security department and the Linux kernel itself is not immune to critique.
Arch Linux also provides proper security updates for the most part through updating to the current stable releases of software. But it is just a standard Linux distribution otherwise and is certainly not hardened.
https://secureblue.dev/ was discussed elsewhere in these comments too.
