Whoops.
The following has just been posted to debian-devel-announce:
A bug has been discovered in the 3.1r0 CD/DVD images: new installs from these images will have a commented-out entry in /etc/apt/sources.list for "http://security.debian.org/ testing/updates" rather than an active entry for "http://security.debian.org/ stable/updates", and thus will not get security updates by default. This was due to incorrect Release files on the images.If you have already installed a system using a 3.1r0 CD/DVD image, you do not need to reinstall. Instead, simply edit /etc/apt/sources.list, look for any lines mentioning security.debian.org, change "testing" to "stable", and remove "# " from the start of the line.
If you installed other than from a CD or DVD (for example, netboot, or booting from floppy and installing the base system from the network), you are not affected by this bug.
New 3.1r0a images will be available shortly to correct this flaw. We apologise for the inconvenience.
The CD team is already working on making fixed ISOs/jigdos/torrents available; unfortunately, with 11 architectures and multiple media sizes, this process takes a while, so it will probably be a day or two before the fixed 3.1r0a images are available everywhere.
So yeah, don't go pressing those 10,000 copies of sarge just yet.