No, security updates are still being made. Here's the release notes for recent security fixes in thunderbird:

https://www.mozilla.org/en-US/security/known-vulnerabilities...

Are the security updates done by Mozilla itself or by the volunteers that continue Thunderbird development?

The security patches are largely from Mozilla's Gecko/SpiderMonkey/Toolkit work. The people who create the patches tend to be Mozilla employees. Looking over the 45.x Thunderbird releases I don't see a single Thunderbird specific security fix. [1]

The team that qualifies and does the release work for Thunderbird are volunteers. I believe that the builds are done on Mozilla hosted hardware.

[1] https://www.mozilla.org/en-US/security/advisories/

why do you care where the patches come from?

One might care where the patches come from as a volunteer community could be less reliable over time than the paid Mozilla staff. I know I certainly feel that way.

But if you prefer security updates from paid employees of an organization rather than volunteers, surely a commercial product rather than a free one would be more suitable for your needs?

Not necessarily. I appreciate the values for which Mozilla stands, and those values are entrenched in their products.

So you're looking for an organisation who will use non-free employees to give you a product for free?

I really don't see your point.

It doesn't feel that way anymore.

In what way? I'm wary of some of Mozilla's decisions, but their allegiance to their mission & manifesto doesn't seem at stake.

> One might care where the patches come from as a volunteer community could be less reliable over time than the paid Mozilla staff. I know I certainly feel that way.

The people who are making these complaints are disproportionately those who have no problem using Debian or Arch, so I don't think that's the crux of the issue for them.