If you're going to wait a few months to update, you are much better off on an actual non-rolling release distro than Arch. Arch frequently does not test upgrades for packages more than several versions out of date, whereas distros with proper releases will test upgrading from the previous stable version.
Debian testing, however, isn't a proper released distro -- it's sort of a mishmash between a perpetual beta and a rolling release. Debian stable has proper releases, and Ubuntu was started largely as a result of people who wanted more frequent Debian releases.
> If you're going to wait a few months to update, you are much better off on an actual non-rolling release distro than Arch.
I think that's a good point and that makes sense. And I agree with that from my experience. However, I generally think that one should not wait months to do updates.
To be clear, the whole idea with Debian stable is that you get security patches all the time, but no new (or depricated) features/apis. So you update every night, but you upgrade only when a new release comes out.
Compared to that testing does both: typically similar frequency of security-related patches (but not guaranteed!) as stable -- and also migrations of new packages from unstable as soon as they "settle down" (and in "reasonable" sets, so that dependencies work).
So, you want a backported fix for the bash bug, in bash 4.2, but not upgrading to bash 4.3 -- possibly breaking somehting depending on 4.2 behaviour (something other than an exploit for shellshock, that is).
(Now, bash is pretty stable, so may not be the best example -- but the point remains).
If you're running testing, in addition to apt-listbugs, you want to have a look at "aptitude safe-upgrade/upgrade" vs "aptitude dist-upgrade" (or apt-get upgrade vs dist-upgrade). A dist-upgrade can be a little bit more invasive, and typically warrants some more vigilance than a mere "safe-upgrade". I don't think I can remember a "safe-upgrade" ever breaking anything in my ~14 years of using Debian. It's pretty safe to script to run automatically, unless you have very strict policies on uptime/predictability.
Debian testing, however, isn't a proper released distro -- it's sort of a mishmash between a perpetual beta and a rolling release. Debian stable has proper releases, and Ubuntu was started largely as a result of people who wanted more frequent Debian releases.