That only happens in old Stable, the previous version of Stable, or machines without internet, or machines which don't receive manual maintenance (otherwise you'd need apt install unattended-upgrades).
In Stable (what you call Stagnant) vulns get backported. Only the code fixing the vulnerability gets updated, the rest is left untouched. Its how Apple deals with older iOS versions, and it keeps their happy users of older devices happy.
If I run some old piece of hardware/software, there are a few things I want: I want it to keep functioning the way I bought it, and I want it to remain secure and reliable. So what I want is security and reliability fixes ie. what Debian Stable (and e.g. Ubuntu LTS) receives.
I was on about security and reliability fixes. These are applied when you run Stable, via Security repository, enabled by default. I was not on about Backports repository.
In Stable (what you call Stagnant) vulns get backported. Only the code fixing the vulnerability gets updated, the rest is left untouched. Its how Apple deals with older iOS versions, and it keeps their happy users of older devices happy.
If I run some old piece of hardware/software, there are a few things I want: I want it to keep functioning the way I bought it, and I want it to remain secure and reliable. So what I want is security and reliability fixes ie. what Debian Stable (and e.g. Ubuntu LTS) receives.