Sure, but even in those “few cases” Testing will get them soon.

Didn’t I allude to that with:

"it doesn’t receive the security backports like Stable does nor does it receive them as soon as Unstable/Sid does.

Though I do notice that the above sentence contains an error that is perhaps misleading. By definition, Unstable/Sid doesn’t receive security backports. Instead, the updates related to security are (usually) first received in Unstable/Sid. So, the above sentence tried to portray the following picture related to security:

Unstable/Sid ~ Stable >> Testing

I did read at some point that Testing may receive security updates later than stable, might be in those cases in which backports come straight from unstable.

That’s basically the point I’ve been making 😉.

I think the only remaining point of contention is the degree by which Stable does receive security backports right after Unstable/Sid does while Testing only receives it later.

Honestly, I don’t know the specifics. But Debian Testing’s wiki entry notes security concerns multiple times. And it’s all related to the fact that they don’t receive the security backports as soon as Stable receives them. The explanation related to security updates concerning the three distinct branches is covered in even more detail over here.

Basically, after I’ve read all of that, it’s clear as day that security is not a priority on Testing. And while band-aid solutions do exist, it’s simply not designed to be secure.