It will almost certainly be slower than Ubuntu just because of the extra layer of work mentioned above.

Canonical are also fairly actively involved in security fixes and among those brought in to the various security embargoes. They usually ship packages the same day embargoes drop.

If by "involved" you mean "take patches that someone else developed and shared on the distros predisclosure list", then they are.

Interesting, who else are involved in the embargoes? Anywhere I could read more about this?

It depends on where the vulnerability is. Everything is all ad-hoc, each piece of open source software decides how they want to handle it, attempting to juggle the chances of a leak. The fewer you tell, the more likely the secret is to be kept, and you want to keep these things secret until a patch is done.

The linux kernel maintainers have a private list where they co-ordinate some of this stuff, and every major Linux distribution will have engineers on it.

That's partly why you see things like OpenBSD etc. being left on the margins. Certain maintainers have been quite vocal about not adhering to embargoes, which really doesn't help them. It's an idealist vs pragmatist thing going on there.

Embargos are coordinated on the "linux-distros" mailing list:

https://oss-security.openwall.org/wiki/mailing-lists/distros