RPis are a pain in the ass... And no I didn't read this whole thread or anything linked from it.
This should already be done on newer installs since the install script does it. But if you are seeing the debian security repo, do the following on an RPi ONLY!! There is no need to do this on anything but an RPi.
sudo omv-env set OMV_APT_USE_OS_SECURITY false
sudo omv-salt stage run prepare
sudo omv-salt deploy run apt
sudo omv-aptclean