Thanks everybody for the pointers. I fixed it now with:

Subject: [PATCH] Ensure cmake builds also apply CPPFLAGS flags for hardening
 to fully work

 debian/rules | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/debian/rules b/debian/rules
index 3a16f8bfa..2e7536b9c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,11 @@ export DH_VERBOSE=1
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 include /usr/share/dpkg/default.mk
+# CPPFLAGS are nor read by CMake, so copy them to CXXFLAGS
+# See why at https://cmake.org/Bug/view.php?id=12928
+# This is needed for e.g. all automatic Debian hardening flags to
apply on all cmake builds.

 # Only do a strict symbol checking on Linux
 ifneq (,$(filter linux,$(DEB_HOST_ARCH_OS)))


