To answer that, you must understand how testing works. Packages first are updated in Sid (unstable), then they go to Testing. At a certain point of the release cycle, Testing stops being updated to become the new Stable version. So basically Testing is not constantly updated. Also, security patches don’t follow this route: instead, they arrive in Sid first (thanks to the maintainers themselves) and then they get into Stable first (by the Debian team) because Stable has the priority. Only after that, they arrive in Testing.
Also see this paragraph from the Debian Wiki regarding security:
Security for testing benefits from the security efforts of the entire project for unstable. However, there is a minimum two-day migration delay, and sometimes security fixes can be held up by transitions. The Security Team helps to move along those transitions holding back important security uploads, but this is not always possible and delays may occur. Especially in the months after a new stable release, when many new versions are uploaded to unstable, security fixes for testing may lag behind.
Also:
Compared to stable and unstable, next-stable testing has the worst security update speed. Don’t prefer testing if security is a concern.
My advice to everyone who wants Debian to be more current is to just run Sid (unstable). It’s always going to be more secure and up-to date than Testing. Also, it works like a rolling-release distro, i.e. the updates are incremental and constant
EDIT: whatever you do, read and follow this guide. apt-listbugs and apt-listchanges especially will save your ass constantly