Debian and Ubuntu have the unattended-upgrades package which is handy for if you have more than just a handful of virtual servers to deal with. You can easily configure it to perform security updates nightly. Does Arch Linux have something similar ?
pacman -Syu in crontab? But seriously, why do you run Arch on production servers?
Because you can. Hetzner even has an official (supported) install script for Arch Linux via the rescue mode. It is a myth that Debian is rock solid regarding security. Backporting is not the holy grail. e.g. Years ago in Debian they made a policy change for the Wordpress packages because they could no longer cope with backporting it, so they are following upstream more closely. Then there is the imfamous SSL package disaster with Debian from years ago.
This one says you really shouldn’t do it, but there is a command in there.
To echo what nutomic said, most of our production servers at work are either Debian Stretch (some old Jessie systems are still sitting around though) or Windows Server 2016 and 2019. Running a bleeding edge distro on production is risky at best.
There is servers and there is vservers and containers. I am not sure what Debian LTS involves regarding security updates, as it does not concern all packages. https://endoflife.software/operating-systems/linux/debian#9-0 For vservers running one service it is totally fine to follow upstream. And for servers I see no security cons.
A loosely moderated place to ask open ended questions
If your post is
it’s welcome here!