> But never ever anyone was rooted because of malware that was snuck into an official .deb package.

Sure. The tradeoff is that when there's a zero-day, you have to wait for Debian to fix it, or to approve and integrate the dev's fix. Finding malware is one thing; finding unintentional vulns is another.