Saw this late: I believe they have a running policy of porting all security stuff from main rep FF and adding additional hardening on top (by disabling semi baked features and removing legacy stuff, like XP support, at a much quicker rate than regular FF releases). But how this is managed in terms of man-hours/pay/etc. - haven't got the faintest: organisational transparency is expensive but would be ever so great to get right for software vendors on the whole!