While I agree with you that the threat model may or may not be very relevant for your usage, I disagree that just because you're on an old/minority version you'll be less likely to get pwned. Try hooking up some Windows XP and some of its services to the internet sometime... Additionally for software like browsers many vulnerabilities are found that affect basically every previous version back several years, and only get fixed in the newer versions. Of course there will be new vulnerabilities that only affect FF > 56 that you don't care about.
FWIW I'm still on 52.9.0 on my home PC... (At work I use the latest, it does keep improving, but feels very much 2-steps-forward-1-back when they keep doing stuff like removing long-standing features.) Some of the vulnerabilities that have been fixed in later versions are potentially concerning. I rely a lot on NoScript (pre-Quantum NoScript even detects click-jacking attempts, which post-Quantum doesn't), ad blocking, link un-shorteners, not running Windows/MacOS, and generally not visiting every sketchy site I may be pointed to, but it's still risky -- e.g. a rouge SVG might pwn me one day. I've accepted the risk, for now.
Even as the risk becomes untenable, I worry that as Mozilla continues its war against its users we'll end up in a Windows 10 situation where malware that's actually out there (rather than hypothesized) targeting older versions is generally going to be more respectful of your PC than the software vendor is. A lot of malware probably won't force you to reboot (or restart -- had a wtf moment when I opened a new tab in FF and it couldn't render anything, saying I needed to restart because it had silently updated something), or remove features you use all the time, or constantly nag at your attention about stupid stuff... Ransomware is probably the most user-unfriendly you're likely to get (that impacts your experience, I'm ignoring passive data harvesters that drain your bank account when you're on vacation), but then you have backups, right?
>While I agree with you that the threat model may or may not be very relevant for your usage, I disagree that just because you're on an old/minority version you'll be less likely to get pwned.
It's not quite that - the context of where the attack is coming from is important.
A site that has been compromised isn't the same threat as visiting an actively (and always) malicious website which isn't the same threat as downloading and opening files which isn't the same threat as downloading new software, installing, and running it.
If I ran Javascript, I'd have a different threat model. If I regularly downloaded files or software, I'd have a different threat model. If I browsed every website I come across like some sort of a web crawler, I'd have a different threat model.
FWIW I'm still on 52.9.0 on my home PC... (At work I use the latest, it does keep improving, but feels very much 2-steps-forward-1-back when they keep doing stuff like removing long-standing features.) Some of the vulnerabilities that have been fixed in later versions are potentially concerning. I rely a lot on NoScript (pre-Quantum NoScript even detects click-jacking attempts, which post-Quantum doesn't), ad blocking, link un-shorteners, not running Windows/MacOS, and generally not visiting every sketchy site I may be pointed to, but it's still risky -- e.g. a rouge SVG might pwn me one day. I've accepted the risk, for now.
Even as the risk becomes untenable, I worry that as Mozilla continues its war against its users we'll end up in a Windows 10 situation where malware that's actually out there (rather than hypothesized) targeting older versions is generally going to be more respectful of your PC than the software vendor is. A lot of malware probably won't force you to reboot (or restart -- had a wtf moment when I opened a new tab in FF and it couldn't render anything, saying I needed to restart because it had silently updated something), or remove features you use all the time, or constantly nag at your attention about stupid stuff... Ransomware is probably the most user-unfriendly you're likely to get (that impacts your experience, I'm ignoring passive data harvesters that drain your bank account when you're on vacation), but then you have backups, right?