Security fixes are generally backported, yes. Critical (like, show stopping, unable to use Discourse) bugs are backported too. But many less critical bugs may not be. Backporting itself comes with risk, unintentional regressions can always occur, it forces users on stable to update, etc.
Our general recommendation is that sites follow the tests-passed branch (as is default), and update when a new release (beta) is out. There are certain cases where stable may be recommended, for example a site with complex plugins that override core templates, but for a standard, docker install site, stick with tests-passed. While the term “beta” in the software industry tends to make people think “there will be bugs”, that isn’t our intended use. All releases of Discourse, tests-passed, beta, stable, etc. have bugs.
If you find a bug on tests-passed and report it, chances are good will fix it within a few days and you can update to make the bug go away. You may encounter more (as in unique) bugs, but they’ll be fixed quickly. On stable, as Kris mentioned, you shouldn’t see any new bugs over the 4-6 month release, but any bugs you do have won’t go away until the next stable release. You’re likely to have more bugs at any given time than on tests-passed, since they’re not being patched, but the bugs should be constant.