Take a hard look at one of the Metasploit frameworks (I'm sure most of you have heard of it).
Now which OS has more vulnerabilities/exploit modules loaded for it? Go ahead... I'll wait....
That would be Windows, of course. Who owns Windows?
Which Internet browser has the most exploits on Metasploit?
No surprise there, it's MICROSOFT Internet Explorer.
Granted, Firefox has a few too (such as the case here with IFRAMES) but it's no where near what IE comes with loaded with, straight out of the box.
Now the point of this is simple... closed source versus open source. In a proprietary market, you run into the problem of having one large company (such as M$) try to "prioritize" their agendas to suit it's needs and it seems to show that they often lack in response to disclosed security vulnerabilities. It often takes much longer for M$ to patch a hole than it is for Mozilla.
On top of all that, when M$ releases a product, it's often on a "deadline". They have to get xx units out by yy day. The whole "Well, we'll just fix that later" attitude tends to kick in and takes a toll rather quicky. I want to say that it's something like 300 out of the 500+ exploits in Metasploit are in Microsoft owned or other proprietary software.
The rate at which open sourced bugs are FOUND and FIXED is incredibly fast in comparison. The amount of exploits you find for open source software is next to nil... and the ones that you DO find are often patched by users rather quickly as well.
My point is simple... Firefox has an vulnerability... but what doesn't? But that's only of a small peanut compared to the mammoth amount of vulnerabilities discovered for IE.
Now, I must say that I don't agree with Mozilla's viewpoint on not fixing the bug, but maybe they have their reasons. I'll do my own research/testing before I decided to take anyones side on that argument.