Actually, on Debian, it's not any harder than on, say, Solaris. :)
Yes, so far I've always fallen back to installing from source, mostly
because I already knew how to do it, and at least that way I could do
it exactly (well, almost...) the same on Solaris, Debian, and Red Hat.
But in this case, the Right Way would be to build your own OpenSSL
0.9.7b binary package for Debian Stable. Probably using the same
source package that's in testing now, you just need to rebuild with
the older Stable tool chain.
Personally, I haven't gotten around to actually doing that sort of
thing yet, but my understanding is it's not bad. At least, several
people here do that sort of thing, and I've read (on the Beowulf
mailing list, other places) that it's not unusual for admins of large
clusters to choose to rebuild most of their binary packages from
source packages as a matter of course.
For Debian though, I bet someone has already done it, and if you like
can just add a line to your /etc/apt/sources.list and download their