For the GNU system, the issue of paramount importance is that all security decisions be a matter of local administrative choice rather than imposed by the system. For the base installation, we use the choices that we (the Hurd developers) like for our own machines and you don't have to like those choices.
For Debian, there are perhaps concerns such as Debian GNU/Hurd having a default login interface consistent with Debian GNU/Linux, or certain notions of security. I don't have an opinion about that.
