There’s a story that hit Slashdot today about Debian (see bug #433869) not using the security.debian.org system to send out an update to the timezone data for a change in New Zealand daylight savings time.
The update in question is not a security fix, however having the correct time on a system is very important for security. Without the correct local time across all of your different systems (and thus having the correct timestamp on log messages) you will not be able to collate messages between different systems (e.g. routers, firewalls, other unix/linux systems) during an incident. This has already been released by Microsoft, Red Hat and, I expect, other vendors.
To me this seems just to be another reason that an commercial company should not run Debian GNU/Linux as you’re at the whims of a bunch of volunteers who are unlikely to understand the security concerns of your business (e.g. PCI/DSS or Sarbanes-Oxley). However it’s still a good OS if you’re running a personal system or if you can have a team of Debian sysadmins/developers at your call to backport important package changes.