I've been running Debian stable on servers for like 8 years now.
Up until recently I had a server running Debian Jessie with 1,802 days of uptime. It served a decent amount of traffic. Services on there ran unattended for literally years and it was rock solid. I ended up decommissioning the server because for the same price I could get better hardware specs so I made a new server and put on Debian Bullseye (the latest stable release as of mid-2021).
With Docker being a thing now, Debian's older but more stable package versions for app level things (programming runtimes, databases, etc.) is less of an issue because you can run them in Docker. However you can get stable core system packages with Debian's impeccable track record. IMO I wouldn't run anything other than Debian on a server (including base Docker images).
For a personal distro, I think it gets more complicated. It's personal preference based on what you value. Using Debian's unstable channel could be an option for having the latest releases on things while still being stable even though it's labelled "unstable". Arch is another choice. There's many others.
That specific server wasn't running Docker so there was less to worry about from an attack surface level.
Debian stable releases get 3 years of official support and then an extra 2 years of security maintenance. Running a specific release for 5 years isn't unheard of if the workload you're running is ok with not being updated for that long.
Ideally I aim to create new servers when a new stable release is available or at least before the official 3 year time span is over.
I've never encountered a bug in any of the web apps that I developed where a kernel update solved it. I know there's other reasons to update such as addressing security vulnerabilities, but I've also never encountered or personally heard of someone having their system compromised by a kernel vulnerability.
Of course that doesn't mean it can't happen, but for single server deploys I do value things like uptime. Rebooting is at least a 30-90 second downtime event by the time the box comes back up and your services start up again. There's also a risk that something might not play nice with the update and now you're stuck with potential downtime while under pressure until you revert the change. Hopefully that wouldn't happen with a security patch level update but it's a risk at the end of the day.
Basically for the workloads I run I'm confident enough in having user land system packages updated automatically and rebuilding Docker images to have the most up to date security patches which is where my apps are running anyways.
For bigger updates (distro versions, kernel updates, etc.) I'm more in favor of spinning up a new server, re-deploying everything there, switching DNS over to it and shutting down the old server. In my opinion it's more safe since your original server is never modified and your site is always up.
Up until recently I had a server running Debian Jessie with 1,802 days of uptime. It served a decent amount of traffic. Services on there ran unattended for literally years and it was rock solid. I ended up decommissioning the server because for the same price I could get better hardware specs so I made a new server and put on Debian Bullseye (the latest stable release as of mid-2021).
With Docker being a thing now, Debian's older but more stable package versions for app level things (programming runtimes, databases, etc.) is less of an issue because you can run them in Docker. However you can get stable core system packages with Debian's impeccable track record. IMO I wouldn't run anything other than Debian on a server (including base Docker images).
For a personal distro, I think it gets more complicated. It's personal preference based on what you value. Using Debian's unstable channel could be an option for having the latest releases on things while still being stable even though it's labelled "unstable". Arch is another choice. There's many others.