Well, same goes for a lot of other packages in general, on Ubuntu LTS as well. If you really need some patch or a feature then you have to edit and compile that package yourself, which is not always possible due to dependencies. But sometimes it's just a case of maintainers compiling packages without some shockingly basic flag - like libcurl without brotli support (now commonly used by servers to compress web pages, so you need it to decompress). The good side is that packages are rarely updated so you don't have to do this regularly, but it's still a pain in the ass.
Debian Testing is actually pretty stable itself though, but the drawback is that security patches are not backported like they are to Stable, so you have to wait until they're transferred from Sid the regular way. If something else blocks that package from arriving at Testing then your system is left vulnerable. So now you have to follow their security announcements and patch things yourself if it's something serious. Also pain in the ass.