Security of firefox is beyond awful [0]. The same is true of all currently used browsers - almost certainly each has several unpatched remote code execution holes. The overwhelming majority of professional bug finding people are either working for the government(s) or selling bugs/exploits to them. These bugs aren't getting reported to the vendor. The occasional ones that are, are either reported by hobbyists, or professionals for marketing purposes.
You're the perfect example why tor browser is so bad.
>was only used against older Windows boxes
It was only used against windows systems, but it was a firefox exploit.
None of the CVE's listed affect the current version of Firefox.
Many of the vulnerabilities fixed are discovered by Mozilla's security team as well as community members, so while there may have been a vulnerability in the browser and it was fixed, it does not mean the vulnerability was known or used maliciously previous to being disclosed.
This is why you cannot judge the security of a product based upon the number of CVE's published. If the vendor in question has an open security program they will publicly disclose all security vulnerabilities they discovered internally. This is a common practice will most (all?) of the major browser vendors.
For example, look at the history of Google Chrome CVE's. You will notice huge spikes in the number of vulnerabilities. A little research, and you will find that was when the Chrome Security team started heavily fuzzing their code and fixing vulnerabilities before most of them were discovered by outside parties.
What you have to worry more about is vendors who don't publicly disclose security vulnerability information, so the only CVE's you see are the ones that independent parties published.
I'm aware that current browsers don't have a great security record (and present a huge attack surface). However, browser exploits are not so abundant that governments are willing to pop people left and right. A good, reliable browser exploit generally costs in the tens of thousands of dollars range, and even governments are hesitant to use those willy-nilly. Most of these can be mitigated with obvious precautions like disabling scripted media (no Javascript, Java, Flash, etc.)
Of course, really solid security requires a lot more effort. If I were to engage in illegal purchases using the Tor browser, I would run the browser in a VM and route all VM traffic through Tor. However, as we know from experience, the Tor Browser's (very mediocre) security is sufficient for the vast majority of casual criminals.
>You're the perfect example why tor browser is so bad.
Gee, thanks :)
Also, none of those CVEs are for the latest version of Firefox.
None of the CVE's you linked to are exploitable in the latest Firefox. "Beyond awful" security would usually require multiple unpatched exploits. Current Firefox has none.
The security of the TBB is generally limited by the security of Firefox, which is not awful.