There is nothing inherently worse in Debian compared to Fedora AFAIK. The security risks depend on your threat model, i.e. whether you trust Debian or Fedora more and which attacks you are trying to prevent. See also previous discussion.
Apart from that, to decrease the attack surface, you can use minimal templates for sys-firewall or even make it disposable as documented here.
If you want to make your Qubes OS more secure, have a look here:
How to make your Qubes OS more secure (Best Practices)