[Thomas, I'm not sure if you are on the debian-security list, so I'm CCing you]
Are you prepared to make sure all the packages that depend on mozilla will have packages ready to enter at once?
This would only be necessary in case of an API/ABI change, right? The mozilla people have shown to care about the API. See the warnings about the 1.0.5 release, the issues were soon after corrected by 1.0.6.
And in the case of a new major upstream version, which should only be an issue 1 or 2 times while the Debian release cycle, I think it's doable.
To make that easier, I propose to set up security testing scripts, where we upload the new upstream versions (and related packages if neccessary) as soon as they are available (so we can fix build issues, etc.), but wait with the release to the offical security repository until they are necessary. That way, we minimize the needed time and work until security updates can be released, and the new major new upstream versions can be tested by a wide audience.
Willi