Of course, there is another possibility. It may be that some of the vulnerabilities have already been fixed silently. That seems unlikely, given what Mozilla has said about this:

"It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability "counted" for, say, seven defects repaired. (again, from Counting Still Easy...)

I think I'm safe interpreting that statement to mean that Mozilla thinks silent fixes are bad, bad, bad. So, let's see if we can do some Critical Thinking and figure this out.

Check #2—Are There Cases of Multiple Mozilla Vulnerabilities Assigned a Single Identifier?

I can easily check to see if any of the CVE identifiers addressed by Mozilla were actually bundled together for that one identifier. I'm not going to be exhaustive, just do some basic searching and see what I find.

• MFSA 2008-69—Lists CVE-2008-5513 as fixed. However text indicates "—one variant could be used—" indicating that there were at least two issues addressed. The SessionStore XSS hazard link indicates four bugzilla entries apply, but I don't have permission to view them, so I couldn't get more detail.
• MFSA 2008-68 / CVE-2008-5512—Quoted from the NVD, "—Multiple unspecified vulnerabilities in Mozilla Firefox 3.x—"
• MFSA 2008-52 / CVE-2008-5016—Quoted from the NVD, "—allows remote attackers to cause a denial of service (crash) via multiple vectors—" and has 11 bugzilla cases associated with the single vulnerability identifier.
• CVE-2008-4064, CVE-2008-4063, CVD-2008-4062—Quoted from the NVD, "Multiple unspecified vulnerabilities in Mozilla Firefox—"
• CVE-2008-2798, CVE-2008-2799—Quoted from NVD, "Multiple unspecified vulnerabilities in Mozilla Firefox—" Examining the other links provided, there appear to be three bugzilla cases for the former and four cases for the latter.
• CVE-2006-6505—Quoted from NVD, "Multiple heap-based buffer overflows—"
• CVE-2006-5464—Quoted from NVD, "Multiple unspecified vulnerabilities in the layout engine in Mozilla Firefox—"

That is probably enough examples to make the point clear—there are many more examples that I found, but didn't dig into. In each of these cases, one vulnerability identifier is being assigned and referenced, when in reality several separate bugs or variants are actually being addressed. I think an accurate description of this might be that from Mozilla, you get a single vulnerability counted for, say, several defects repaired. Sound familiar?

I expect that Mozilla might say that since their entries are searchable and sometimes listed, they are transparent, but it seems like a quibble. One of the main criticisms of "silent fix" behavior that researchers raise is that the individual issues were still easy to find for those that knew how to reverse engineer updates and attackers would "—write exploits for all vulnerabilities regardless of what is in (the) bulletin." This concern should apply equally here.