I thought you articulated your question extremely well, @grahamperrin; however, I wouldn’t take it personally—and certainly wouldn’t be surprised—if a thorough, authoritative answer never shows up.
That’s simply due to the impetus we all know that’s placed upon security due to the vital role it plays in both browser development and continuity. In terms of overall interest and the ensuing traffic the reports receive, I don’t feel I’m speaking out of turn by assuming the metrics must be quite low. The MFSAs are most likely posted with only a niche audience in mind and for transparency/documentation purposes.
The question still has merit, no doubt about that; check out (and maybe even get involved with) Bugzilla if you haven’t already. That is, if this subject matter is something you’re interested in beyond mere curiosity.
Kudos for taking the initiative and asking, though!
Best of luck.