It uses a hard fork of Firefox's Gecko engine called Goanna, and is independently developed other than a few security patches from upstream. It has considerably diverged from contemporary Firefox so is not comparable.
They do have access to them. The lead developer and project owner has sec bug access in bugzilla.
But vulnerabilities in newer Mozilla have over time become less and less relevant in Pale Moon's codebase, which led to the latter dropping the tracking of how many Mozilla security patches have been applied in the release notes (starting with 33.0.1).
