I thought that PureOS tracks Debian Unstable rather than Debian Testing. I could be wrong there.
I’m afraid you are wrong here. The Debian security team only makes sure that Debian Stable gets timely security updates. Debian immediately publishes security advisories as soon as they learn about vulnerable packages and they publish updates as soon as possible. Further, the Debian security team coordinates with upstream vendors to publish these updates before the vulnerabilities are public.
From the Debian Security Team FAQ:
Q: How is security handled for unstable?
A: Security for unstable is primarily handled by package maintainers, not by the Debian Security Team. Although the security team may upload high-urgency security-only fixes when maintainers are noticed to be inactive, support for stable will always have priority. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.
I’m not saying that PureOS is insecure. I’m only saying that I know that Debian’s software repositories are not “flawed” as @tez suggested. I am not sure about the repositories of PureOS. I would need to talk to the PureOS maintainers to find out.