Using new upstream versions are bound to cause new problems. Maybe not at the moment with only going from 1.0.4 to 1.0.6 but more probably they will do later. Sooner or later they will change the behaviour of the program (so uses will be confused), change the API (so plugins, language files etc won't work anymore), alter the dependencies (so the packages will be slurp in new packages or cannot be built on stable at all).
IMHO, sloopy security support (by uploading new upstream versions) is better than no security support.
I'd say, 1.0.x (firefox, thunderbird) should go to security.debian.org (in the hope that it doesn't cause other problems) because sarge users expect to get fixed packages from there. Of course, that will need testing.
For 1.5.*, (firefox, thunderbird) it should also be put on security.debian.org when it first fixes any security related issues, but only as long as the only problem are untranslated strings (We can make the langpacks available from some seperate location, if needed)
For mozilla, the problems are hopefully smaller, because 1.7.* will probably stay more or less at it is, and new upstream versions are security fixes plus some small bug fixes. (I have to admit that I didn't verify that claim by looking at the source code)
For etch, mozilla packages should be supported by some seperate location (like volatile.debian.net), and people who install desktop systems should be asked if they want to add that location to their sources.list.
Willi