How hard is it to just keep up on security patches for old browsers?
A security patch isn't as simple as deciding "Oh, we don't want to have that vulnerability any more" and commenting out a setting. If it was that easy, there wouldn't be very many vulnerabilities at all.
On the one hand, any time you find a new vulnerability (or a new class of vulnerabilities), you have to audit all the nooks and crannies of the code base in order to identify either the problem itself, or the problem areas that are affected.
On the other hand, any time you change a line of code, you have to recompile. That means, to release the patch, you'll have to recompile for *every target OS*, and you'll have to *test* on every one of those OSes.
Surely when considering both of those complicating factors, you can see what Mozilla's motivations might be for retiring old support branches with a relatively limited user base?