I agree with the point that you need to be comfortable maintaining it so I'm moved to offer this short story:
A while ago I bought a new server. Along the new hardware (IBM 345 w/6 10000 RPM SCSI HDs) I bought a copy of Suse Linux Enterprise Server (SLES) and even had a certified SLES guy at the local IBM dealer set it up for me.
I ran yast regularly to update it from SUSE's (later Novell's) servers and everything seemed fine until I suddenly found the machine's IP address listed on RBLs. It turned out that the fully patched server was compromized (read: hacked) in a way that allowed spammers to send mails through a PHP mail script to any address they liked. I asked the SUSE guy about it and he just shrugged so me and a friend did a backup of the pertinent files being served out of that server plus the MySQL databases and wiped it clean, installed Debian Sarge + linux-vserver and have never looked back.
Updating is as simple as apt-get update && apt-get upgrade and even though we're using the current stable branch of Debian (which is not exactly "bleeding edge") the version of PHP is newer than the one offered with the copy of SLES I bought plus we're able to install packages quite easily without having to drive down there to install CDs (apt-get install .
This has made me a firm believer in "dynamic distros" such as Debian and its derivatives. It just works...for me.