Most security CVEs do get backported to ESR, but android-specific ones are trickier. Mozilla doesn’t maintain Firefox for Android ESR, so those patches don’t automatically flow. Mull’s developer has to manually identify and backport those android-specific fixes, which is partly why maintanance has become too much work.