Sounds like to this 'expert' updates is the same thing as security, as if there were no bugs in new software. The truth is that thinking of software security in those terms is a mistake. Software security is a game of cat and mouse, from the simplest program to the most complex enterprise platforms, the same principle applies. You patch one hole, but there is always the risk of opening a new one, or you have others that you dont know about yet.
That being said + all the recent intel hardware bugs that have been revealed recently (which have been present in hardware for decades), it's tough to qualify anything as truly secure.
With that in mid... I myself have become inclined towards debian... because it runs on pretty much anything... The one (significant) drawback, is that the community sucks, so if you're not self-sufficient in a debian environment, good luck. But then again, I dont use a 'desktop', but rather just a bare install with a command line to install servers and deploy services, so there is not much interaction with a 'desktop'.
I do hope to be able to build one from scratch at some point if given the opportunity.