I've been using MariaDB, "an enhanced, drop-in replacement for MySQL" on my Debian stable servers for years, because of its increased performance.
However I've noticed that it appears to lag with relation to security updates in MySQL; for instance, there's DSA 3229-1 which lists several vulnerabilities, which do not appear to be patched in the Debian stable mariadb
package.
Is this a security versus speed tradeoff? Is MariaDB generally behind on security updates or is this just a one-off?
Maria-DB is not a performance-enhanced MySQL version.
Maria-DB is the forked MySQL version current used in the open-source space. It was forked from MySQL due to mistrust in how Oracle will behave in regard of the original MySQL code. You can see here for more information.
While until version 5.1 both were more or less the same code, by 5.5 this changed significantly. This means that they are now two different (albeit largely compatible) products, so it is not automatic that erratas affecting one (eg: MySQL) are applicables to the other (MariaDB).