Debian not recommends testing for everyday using. You definetely have to look at the site. Afaik it is basically a bad version of unstable that gets slow updates and it is only for testing purposes.
Yes, this is correct. The way Testing works, it is very possible (indeed, likely) that you could be stuck with a security vulnerability for weeks. You should use either stable or unstable.
Yes, as long as you pay attention to what packages are being added and removed when you perform an update. Once in a great while, there have been instances of buggy packages mass-removing other packages due to a bug.
That said, Debian-based distros like Ubuntu usually base their stable releases on unstable. Unstable doesn't refer to software stability. Rather, it refers to the idea that the system-level packages could change throughout the development cycle.
Security updates come to unstable through normal package updates, which testing doesn't get until everything makes it through a probationary period with no "serious" bugs filed and no dependency issues. And if any package that the package needing the security patch depends on also has a serious bug filed, the process could take even longer.
Packages from debian unstable trickle down to testing in 8-10 days usually if all the other criteria are met. But I have also heard that important security updates go straight from unstable to stable and then come to testing at a later time. When is that later date I have no idea.