This really isn't meant to come across as flippant but if you're running something serious or important enough on your Rpi that makes you that concerned about security, maybe you shouldn't be running it on an Rpi.
Often, you care about security not because of the app running on the rpi, but the environmental risk: Having your home network become a malware distribution node and/or your backups on a connected NAS server compromised, say.
(Actually the replaceable/disposable nature of the rpi often makes it a more robust platform than the alternatives as long as you can tolerate short outages)
I think the project is at the investigating tradeoffs phase. I mean there's nothing that comes with a security guarantee and the default Debian that ships with an RPi is fairly well supported relative to embedded systems and the price of a RPi.
