Debian has a release maturity model, where Unstable, Sid, is where all the new stuff goes in. If it sticks, then Unstable becomes Testing, in which nothing can be added during testing. This typically lasts 1.5 - 2 years. If no problem at that point, Testing becomes the new Stable release.
Security updates are made to Stable first, then to Testing.
Debian Stable is notoriously stable, and notoriously behind the times, but very reliable for servers.
Ubuntu came along and said: we take Debian Unstable, make it more stable, add all the latest gadgets, drivers, etc, and release it.
Ubuntu then works at the security updates, package updates, etc, for their Ubuntu releases.
Note that I gladly use Ubuntu on the desktop, but I stick to Debian Stable for servers.
