The idea is that when a security bug is found, Mozilla writes a patch against the current Firefox version, but Debian must patch whatever version is the Debian Stable, so they must write a patch to the earlier version of the source. Since the code has changed in between, the patch is different, even if it fixes the same bug.
Mozilla writes patches against all supported Firefox versions (that's what being supported means!), and as already stated, Debian only uses officially supported versions for Iceweasel. So no, there are never security patches that Debian needs to backport for stable because they are always already upstream.
Look, the version of Iceweasel in Debian Stable is based on Firefox 24. According to the Firefox ESR calendar, Firefox 24 will got out of support in October. But the new version of Debian Stable won't be released before December, at least, and Debian doesn't upgrade the major version of a package in Stable.
So how exactly can Debian patch Iceweasel using Mozilla's patches between October and January?
