This is a misunderstanding of the purpose of Debian, which comes in several flavours: Stable, Testing, and Unstable. Stable does indeed "lock" older versions of packages, but this comes with the enormous benefit of reducing maintenance caused by bugs, regressions and incompatabilities that occur in newer releases. Only security updates are released, but there are also methods for installing newer versions of packages if you like, which is exactly what I want from a server operating system.
If you are looking for more of a Fedora or Arch-like experience on desktop, then you could investigate Debian Testing or Unstable.
As for the radare2 security issues, it appears that the package is part of the Ubuntu universe or community repository, and has been abandoned by its maintainer. It won't receive any official support from Canonical. It's probably a bad thing that Ubuntu allows this in a way that's not super clear to the end-user, however the best solution would be for somebody to step up to the role of maintaining the package, or for it to get removed from the universe repository altogether.
Debian-Testing is the worst of both worlds. It doesn't get updated as frequently as -unstable and doesn't get security fixes in time like -stable. e.g. firefox-esr was on 68.11.0 for two months until in the last few days it finally switched to 72.3.0. So users were running a vulnerable version all that time [i.e. they never got even 68.12.0].
I consider the in-between nature of Testing to be a feature. Less-frequent updates than Unstable drastically reduces breakage, but I still get new stuff. The lack of timely security updates does unfortunately mean I have to be a little more vigilant.
I usually run Stable for about 6 months after its first major release, since Testing often has a lot of churn then, and sometimes breaks.
I've been running this way on my desktop machine since Stretch was Testing and have been really happy with it.
For apps like Firefox, I run the upstream version anyway, which auto-updates on upstream's schedule.
If you are looking for more of a Fedora or Arch-like experience on desktop, then you could investigate Debian Testing or Unstable.
As for the radare2 security issues, it appears that the package is part of the Ubuntu universe or community repository, and has been abandoned by its maintainer. It won't receive any official support from Canonical. It's probably a bad thing that Ubuntu allows this in a way that's not super clear to the end-user, however the best solution would be for somebody to step up to the role of maintaining the package, or for it to get removed from the universe repository altogether.