Until there's security oriented configurability, I can't say Netscape has anything better than an acceptable record. They do a decent job of fixing the bugs, but only if you can enfore deployment of a new version, and ensure that old, bad features are not used.
I guess that I have confidence in Netscape because they have a history of responding to concerns posted here and elsewhere. Security oriented configurability will be a good test -- I would be surprised if it doesn't come out soon. What are we talking about specifically when we talk about security oriented configurability? Rather than just turning java(script) on and off, wouldn't it be useful to piggyback off of the X.509 system that's already in place? For every CA's or server's cert, they'd just have to add two checkboxes: whether or not to run java applets or javascript code from servers vouched for by those certs. Is that what people mean when they talk about configurability, or just the ability to shut down java*script) all together?