Debian as a server gets security updates, but the packages for desktop remain old, feature robbed and vulnerable. Default Web browser is passing on manifest v3 which enhances security. Linux isn’t going TPM2 (yet) which prevents rootkits, bootkits, keyloggers, and malware. Linux doesn’t enforce security updates. Anyone that thinks Linux doesn’t have frequent security problems hasn’t done a web search on the topic. All operating systems have issues, -Desktop Linux deliberately so.
Well, duh, it’s like reading the fire is hot, then burning yourself touching it, and complaining about it. Why’d you use Debian on a desktop anyways? You can technically use snap/flatpak/appimage/nix/guix/etc to get newer packages, tho. Not sure why, but still.
Also,
Boot/rootkits – maybe, depending on the setup. Keyloggers and malware – how exactly? The only thing it creates is a chain of trust, and it so happens that most malware, including keyloggers, works in user-space (albeit preferably with elevated privileges). Besides, if you want max security, you want heads + qubes anyway.