It is way behind Debian on even the basics sadly. Maintainers do not even sign in NixOS making them easy to impersonate. Debian security is a joke too though in other areas, and like nix, should never be used in production either.
NixOS at least has immutable read-only system images. This makes it a thousand times less interesting to a potential attacker than a Debian system.
For every Mossad agent crafting elaborate impersonation scheme to steal state secrets, there are a million script kiddies looking for insecure servers for a botnet.
P.S. A bigger issue is the complete inability of the "security industry" to understand even basic threat model issues. More proof that this entire "industry" is a joke and a clown show.
See a security comparison of both with stagex: https://codeberg.org/stagex/stagex#comparison