Another aspect worth mentioning is that debsecan's information can be used to decide to remove packakes based on knowledge of their unpatched vulnerabilities. In other words, if one were sufficiently motivated, he or she could strip out all of the vulnerable packages reported by debsecan; although certain low-level libraries have to many reverse dependencies and are particularly hard to expunge.
Another can use is to keep an eye on particularly vulnerable packages, which can be dropped in favor of alternatives with a better security track record (e.g. gcj over openjdk, chromium over webkit).
Failing the above, one could use any remaining motivation along with debsecan to determine which packages one wants to fix themselves; preferably followed by uploading that fix to something like debian-mentors  so that every debian user can take advantage of that good work.
And maybe one day that work results in becoming a debian developer, as in my particular experience.