Yes, to be clear we only ever make rare exceptions to "backport" software from more recent testing or unstable Debian releases back to stable. When we do, they tend to be providing specific functionality that is required as part of the release. E.g. in our current jessie release, we've provided the following packages
- ruby-acme-client (for Let's Encrypt)
- ruby-bindata (for ruby-acme-client)
- ruby-json-jwt (for ruby-acme-client)
- ruby-securecompare (for ruby-acme-client)
- ruby-url-safe-base64 (for ruby-acme-client)
- ruby-cracklib (to check weak passwords)
- ruby-linux-netlink (to manipulate network interfaces)
- prosody-modules (to allow XMPP login via Dovecot auth)
- squirrelmail-change-pass (to allow people to change email password in Squirrel Mail)
All of this are relatively small packages, unlike PHP The more software we ship, the more we have to monitor for security vulnerabilities, so it is much easier not to backport, and rely on Debian security updates instead.
Hope this makes sense!