"Personally I think that the decision to patch 2.x one day and 3.x the next is a very risky security decision - regardless of the fact that Mozilla thinks there is less risk to Firefox 3. The reality is that users don't patch as quickly as they should (though they do update Firefox faster than other browsers) and having a known vulnerability out there waiting to patch isn't my idea of mitigating risk properly."