There are several reasons for security vulnerabilities:

- the programming language used to write applications like Firefox has architectural issues that cause a large amount of security vulnerabilities - there are a large number of researchers whose job is to find vulnerabilities. - new features are constantly being added. Most issues come from recently added features.

Most vulnerabilities are patched quickly after they are found, and most issues are found before they are ever exploited.

This is also not a problem unique to Firefox. So far in 2015, there have been 62 security vulnerabilities in google chrome, and last year there were 127. By my count, Firefox has only had 29 security vulnerabilities found so far this year (although I may have miscounted).

Mozilla also has a research project they are testing that uses a new design that will significantly reduce the number of security vulnerabilities.

https://www.mozilla.org/security/known-vulnerabilities/firefox.html

http://arstechnica.com/security/2015/03/all-four-major-browsers-take-a-stomping-at-pwn2own-hacking-competition/ https://threatpost.com/flash-reader-firefox-and-ie-fall-on-pwn2own-day-1/111720 https://threatpost.com/all-major-browsers-fall-at-pwn2own-day-2/111731

The only difference 36.0.4 has over 36.0.3 was for a security fix. These are chemspill updates that are for security and allowed stability fixes that could not wait for next major Release. https://www.mozilla.org/en-US/firefox/releases/