Stable not being secure is not correct. if you take a Stable LTS OS it has a guaranteed support cycle for patching security issues. Stable does not mean no updates, you will still get daily/weekly package updates for bug fixes and enhancements, as well as kernel fixes. In the case of a kernel up revision on rolling release fixing a major flaw, you also have to realize new software means new bugs and new vulnerabilities ( that are yet unknown ) Also if you worry about CVE stuff try SUSE or OpenSUSE’s zypper it has various command parameters to search and list patches, suggested security patches and will show a full list of what patches are available for your system, which ones are critical, recommended, not needed, etc with CVE numbers.